Science needs clarity on Europe’s data-protection law

Data-protection laws in Europe offer an exemption for medical research but the details are vague.Credit: BSIP/UIG/Getty

As a commendable值得称赞的 European law on personal data comes into force, the research community must not let excessive caution about data sharing, however understandable, become the default position.

European policymakers have been discussing new rules on data protection for years, and scientists and universities — like everyone else across the continent — are about to see the results. Entering into force on 25 May, a new law known as the General Data Protection Regulation (GDPR), is designed to protect the personal privacy of citizens and will overhaul how personal data are collected, handled, processed and stored. It’s a welcome move to safeguard individuals and is the biggest shake-up of data protection in more than 20 years.

However, as this journal has noted before, earlier drafts of the law posed提出a problem for science and the research community. Of particular concern was the issue of consent准许 — the draft language suggested researchers would be required to seek renewed consent to reuse data collected for a different purpose, which could have introduced delays and made some research impractical. But many in the research community worked relentlessly持续的 to warn policymakers of the potential harm. In response, officials put in place rules that exempt免除、取消 research from some of the requirements, provided如果 the proper safeguards are in place. Universities and organizations have introduced plans to make sure they are. The bulk of the work should be done.

The passing of the final GDPR rules is, therefore, a good example of political engagement约定 by researchers and their advocates支持者, and a sensible and informed reaction from policymakers. Those involved, on both sides, deserve great credit. Harmonization of how data can be sourced, stored and used would, in theory, be good for research. It could smooth the difficulties that scientists face when they try to pool储、收集 analysis of genomic data and tissue samples across national borders. Such sharing could help scientists to organize powerful trials with large numbers of participants.

But although there is some cause for celebration, there are still outstanding issues问题. And that means that the same researchers and advocates must remain vigilant警惕.

The problem is that individual European countries have been left to decide some issues for themselves — for example, how scientific data can be processed. This flexibility is intended to allow countries to fit the rules around existing systems and different cultures, but it might leave nations out of step. Researchers who work under different systems could struggle to share data with each other. That could lead to delays in negotiations between institutions wanting to create collaborative contracts that enable data sharing.

To help prevent this and to offer a unified approach, academics, industry representatives and patients have been meeting over the past year to distil提炼，总结 the complex regulation into a user-friendly guide. This planned code of conduct 行为准则aims to provide a simple ‘how-to’ guide for scientists, for example, by explaining differences in the way countries such as Germany and the United Kingdom define ‘anonymized匿名’ data. The resulting Code of Conduct行为规范 for Health Research, overseen by the biobank network BBMRI-ERIC (see J.-E. Litton Nature 541, 437; 2017), is almost ready for consultation. But meanwhile, medical research remains vulnerable to unintended计划外的 consequences of the new law.

That’s because, until the code of conduct is in place to offer clear guidance about how to comply with the GDPR, day-to-day decisions on how to interpret the law will be left to individual institutions’ legal departments. It would be understandable if they chose to err犯错误 on the side of caution and place restrictions on sharing data for fear of breaking the law.

Even when the code is finalized, it must still be approved by the European Data Protection Board (EDPB), which has not yet said how organizations can submit such codes for evaluation, or how long the process will take.

Some have argued that delays in the code becoming available could be beneficial, because they would allow the research community to thrash out 通过讨论解决 the details of this complicated area of the law. But others worry that if the process drags on too long, medical research will suffer. What starts as a cautious position on how best to share data in line with the law could drift into normal practice.

That would be a missed opportunity and could risk undermining暗中破坏 the good work done so far. Officials on the EDPB must not allow that to happen. The code must be approved and put into practice as soon as possible. It’s important to protect people’s personal data; but it’s also important to ensure data can be used with integrity诚实正直 to support valuable research.