GA4GH Policy Brief: navigating the data sharing implications of national security policies

7 Nov 2024

National security initiatives taken in recent years could implicate researchers and institutions’ ability to share genomic and health related data.

The Health Data Sharing, Privacy, and Regulatory Forum — formerly known as the GDPR & International Health Data Sharing Forum — publishes regular “GA4GH Policy Briefs” that discuss how evolving global laws and regulations impact genomic and health data protection and sharing. The Forum consists of an international editorial team of data protection and legal experts, who solicit, contribute to, and publish these GA4GH Policy Briefs to clarify and share information about emerging and relevant health data sharing policy topics.

A person is writing a tablet, with a holographic image of a DNA and the world sprouting out of their pen

 

By Yunhe Xue, Diya Uberoi, and Yann Joly

Introduction

The responsible sharing of genomic and health-related data is crucial to maximise the value of medical research. Global exchange of data has the potential to not only advance scientific discovery, but also improve clinical care and increase knowledge gained from data collected. As global competition in technological innovation and geopolitical tensions have intensified, a number of countries, including the United States (US) and Canada, have cited national security concerns as a reason for restricting international research collaboration and data sharing. In the early months of 2024, the US Congress began debate on the BIOSECURE Act (“the Act”), and US President Joe Biden signed an Executive Order (“the Order”), marking major efforts to secure Americans’ sensitive information. Following the US’s lead, Canada introduced the Policy on Sensitive Technology Research and Affiliations of Concern (“the Policy”) in May, adding stringent standards to its pre-existing National Security Guidelines for Research Partnerships (“the Guidelines”). While these policies raise important questions about the need to protect personal data, they have also complicated the existing regulatory landscape. Health-related information has traditionally fallen under the purview of privacy and data protection laws, but national security legislation introduces additional challenges for data sharing which have yet to be explored. Below, we describe key provisions regarding data sharing in these security policies and highlight their potential implications for genomic and health research.

The US approach

While the US has been a champion of data sharing in recent years, in a stark move earlier this year, the country shifted its stance to prioritise national security concerns.

After months of deliberation, the US House of Representatives passed the BIOSECURE Act (H.R. 8333, former H.R. 7085) on 9 September 2024. The Act is now under consideration by the Senate and if approved, could constrain international research collaboration through two major provisions. First, the Act specifically targets federally funded agencies, US institutions, and researchers, prohibiting them from procuring “biotechnology equipment and services” produced or provided by a “biotechnology company of concern.” Second, the Act could prevent any federally funded agency from sharing “multiomic data” with entities in countries considered “foreign adversaries”. For researchers in the United States, these provisions may be concerning, as the Act broadly defines the terms biotechnology and foreign adversaries, leaving little room for exceptions. “Biotechnology equipment or services” encapsulates a range of genetic sequencing and mass spectrometry technologies, polymerase chain reaction (PCR) machines, and any related devices used in biological research, development, and analysis. While the list of foreign adversaries is not finalised, it will likely include North Korea, China, Russia, and Iran. The Act has yet to be promulgated into law, but researchers have already raised concerns about their ability to engage in valuable research collaborations.  

Despite the existing broad reach of the Act, the government has sought to further regulate the transfer of Americans’ sensitive data. Citing persisting concerns, President Biden issued an Executive Order on 28 February 2024, and to implement it, the Justice Department issued Notice of Proposed Rulemaking (NPRM) on 21 October.  Even broader in scope, the Order and the NPRM place their own burdens on international research collaboration with the goal of protecting Americans’ sensitive data. Specifically, the Order and the NPRM prohibit and restrict the bulk transfer of sensitive personal and government-related data to the aforementioned foreign adversaries, as well as Venezuela and Cuba. The NPRM defines “bulk” transfer as transferring any data amount that meets or exceeds specified thresholds within a 12 month period. It also suggests the following thresholds would apply:

  • Human genomic data: more than 100 US persons.
  • Biometric identifiers and precise geolocation data: more than 1,000 US persons.
  • Personal health data and personal financial data: more than 10,000 US persons.
  • Covered personal identifiers: more than 100,000 US persons.

Evidenced by these recent regulatory developments, the US has prioritised national security concerns over the promotion of health research and innovation. Though its concerns may be warranted, it is important to acknowledge that the US government’s influence in this space could elicit similar responses globally. As shown below, Canada has now followed suit.  

Canadian approach

In contrast to the United States, Canada has long taken a more nuanced policy approach to national security concerns. On 21 July 2021, Canada released the National Security Guidelines for Research Partnerships, which integrated national security considerations into research partnerships. Unlike the US’s newer regulations, the Guidelines do not target specific countries, but rather encourage a cautioned approach towards partnerships with any foreign government or entity that seeks unauthorised access to research data and performs unwanted knowledge transfer. The guidelines are further distinguished from the BIOSECURE Act in their emphasis for transparency and clear framework under which researchers can identify risks to national security. The Guidelines’ definition of sensitive personal data is also more specific, as it includes personally identifiable health or genetic data (e.g. health conditions or genetic test results).

However, with the introduction of the Policy on Sensitive Technology Research and Affiliations of Concerns on 1 May 2024, Canada’s stance also shifted. The Policy now imposes harsher controls on sensitive research and introduces stricter national security standards for researchers. Specifically, the policy protects sensitive research from exploitation by foreign entities, especially those in biotechnology, medicine, and healthcare. The Policy complements the Guidelines, but is stricter in its approach to data sharing, as it prohibits researchers and academic institutions from engaging in research with foreign institutions that pose significant risks to Canada’s national security. Similar to the US’s position, the Policy now also explicitly names research organisations in foreign countries. 

Conclusion

While the US and Canada have adopted different approaches to national security in research, their recent decisions to more robustly restrict the transfer of data could impede international research in genomics and health. Genomic and health data sharing is crucial to the advancement of medicine and science and researchers must be able to share data widely. While countries have duties to regulate research data to protect national security, these objectives should be balanced against the need for international collaboration that unlocks the innovative benefits of data sharing. The exclusion of specific research communities can hamper innovation, calling on the collective action of the global scientific community. As geo-political concerns continue to change, countries may want to consider adopting more nuanced regulatory approaches. In comparison to binding legislation, softer policy offers greater flexibility, allowing stakeholders to tailor their approach depending on context-specific needs.

Further Reading

Relevant Provisions

  • BIOSECURE Act, H.R. 8333, 118th Cong. § 2(k)(7) (2024) – Definition of multiomic
  • BIOSECURE Act, § 2(k)(2) – Definition of biotechnology equipment or service
  • BIOSECURE Act, § 2(k)(6) (citing 10 U.S.C. 4872(d) (2024) – Definition of foreign adversary
  • NPRM, § 202.249 – Sensitive Personal Data
  • NPRM, § 202.601 – Determination of Countries of Concern
  • NPRM, § 202.205 – Bulk
  • NPRM, § 202.224 – Human Genomic Data

 

Yunhe Xue is a Research Assistant at the Centre of Genomics and Policy (CGP) at McGill University, and a Policy Analyst for GA4GH. 

Dr. Diya Uberoi is a Research Associate at the CGP and a Senior Policy Analyst for GA4GH. 

Prof. Yann Joly is the Director of the CGP and Co-Lead of the GA4GH Regulatory & Ethics Work Stream (REWS).

 

See all previous policy briefs.

Please note that GA4GH Policy Briefs are for information only and neither constitute nor should be relied upon as legal advice. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction. Briefs represent the views of the authors who have received input from Forum Members. 

 

Latest News

Picture of hand writing while binary code runs over the image
5 Dec 2024
Model Data Access Agreement Clauses have been approved as an official GA4GH Product
See more
Picture of Uppsala, Sweden.
14 Nov 2024
GA4GH 13th Plenary
See more
GA4GH announces an open call for nominations for the GA4GH Inc. Board of Directors
12 Nov 2024
GA4GH Inc. opens call for new Board members to enhance global leadership in genomics
See more