Could GDPR be impeding the global COVID-19 pandemic response?

Researchers suggest the General Data Protection Regulation (GDPR), implemented by the European Union (EU) in 2018, excessively limits the sharing of data outside the EU, hampering global research efforts and the COVID-19 pandemic response.

GDPR was designed and implemented to give EU citizens greater protection and control of their personal data, particularly when it is transferred to entities outside the EU and the European Economic Area (EEA).

But Jasper Bovenberg and colleagues have argued that the current interpretations of GDPR fail to recognise that personal data is used in biomedical research to derive generalised knowledge that benefits society and is applied in ways that pose negligible privacy risks to data subjects. Consequently, they suggest the balance between an individual’s privacy and the benefit to society in research contexts is quite different from others, eg, commercial and marketing endeavours seeking to profile individuals and their behaviour.

The current interpretations of GDPR, they said, has frustrated research, particularly in relation to COVID-19, and this has been exacerbated by recent EDPB guidelines concerning COVID-19 which they suggested lacked both urgency and consideration for the greater public good, as well as failing to account for scientific considerations.

To remedy this, the authors have proposed amendments for consideration by the EU Commission in its upcoming review of GDPR and urge the European Data Protection Board (EDPB) – the GDPR’s governing body – to re-evaluate recent guidance on COVID-19 related research.

They concluded: “We believe that our recommendations can help to redress the unfortunate consequences created by the existing GDPR approach to international transfers of research data and will enable the biomedical research community to share data beyond the EU for scientific research, while ensuring a high level of protection for data subjects.”

Their Policy Forum was published in Science.