EDITORIAL

Global data meet EU rules

See allHide authors and affiliations

Science  04 May 2018:
Vol. 360, Issue 6388, pp. 467
DOI: 10.1126/science.aat9878
CREDIT: LKY SCHOOL OF PUBLIC POLICY

We are at the beginning of the “fourth industrial revolution,” with unprecedented capabilities to acquire, process, and communicate data. As with all revolutions, it holds great promise as well as dangers. Outrage at large-scale privacy breaches demonstrates the perils of taking protection of personal data lightly and reminds us that technological progress challenges policies, values, and approaches to ethics. The European Union (EU) General Data Protection Regulation (GDPR) that takes effect on 25 May offers never-before-seen protections and control by individuals of their personal data, including many provisions for research. Although this should increase public trust and therefore propensity to share data, many implementation details and safeguards have yet to be established. It is clear, however, that interoperability of policies will be essential to promote data sharing across research communities within the EU and globally.

CREDIT: SÉBASTIEN THIBAULT

The GDPR promulgates “privacy by design,” improves data custodianship, establishes rights of data erasure and portability, and specifies that consent to collect and use data must be given by clear affirmative action. It establishes that EU protection follows EU individuals' data even if the data leave the EU. The GDPR includes provisions that ensure personal data protection without undue impact on research and innovation. For example, personal data may be used for research purposes that are not identical with those at the time of their initial collection; under certain conditions, personal data may be processed for research without prior consent, and the rights of an individual to object to processing or request erasure may be overridden. Provisions are made for sensitive data, such as genetic, biometric, and health data, or data revealing racial or ethnic origin and political or religious beliefs.

The GDPR sets basic rules and conditions for personal data in research, but provides flexibility for EU member states to legislate many safeguards and conditions. EU states thus must be vigilant that discretion given to them by the GDPR does not undermine interoperability. Legislation is already adopted or in preparation in some EU states, such as the German Data Protection Amendment Act or the UK Data Protection Bill. Interoperability is equally important at the global level; rules for personal data in research in one country may affect use of data from another.

A basic aspect of interoperability is the ability to transfer data. The European Commission has already deemed some non-EU countries' protections adequate under GDPR, including Argentina, Israel, New Zealand, and the United States (limited to Privacy Shield Framework participants), meaning that personal data may be transferred from the EU without authorization or further safeguards.

The research community has a strong interest in promoting consistent regulatory approaches to facilitate access and legal interoperability, including when data are federated in cloud computing environments and access is provided from anywhere in the world. The GDPR has modernized the EU regulatory framework, but international coordination is needed to seek legal interoperability across countries and regions. This must link to efforts resolving technical and organizational barriers to interoperability and to data initiatives like the European Open Science Cloud or the Helix Nebula project. Coordination may be effected in global forums such as the Research Data Alliance, which with the Committee on Data for Science and Technology and the National Information Standards Organization has been looking at legal interoperability, and in community-led initiatives, such as the Innovative Medicines Initiative, which has already launched key projects in this area.

GDPR is a landmark, but sharing of personal data for research across borders on a global scale will remain a technical, legal, and governance challenge—and opportunity—for the global science community.

Navigate This Article