Proposed EU Data Protection Regulations Could Impede Medical Research
With 500 million residents and an aging population, the EU faces high stakes for improving medical research. Spending reflects this priority: the EU spent €6.1 billion ($7.8 billion) from 2007-2013 on medical research, not counting member countries’ individual efforts. But portions of the EU’s proposed General Data Protection Regulation (GDPR) would introduce inefficiencies into the process of conducting medical research in all of the EU’s member states and could have widespread consequences, ultimately impeding lifesaving work and imposing unnecessary financial burdens on research organizations.
The GDPR stipulates that organizations processing individuals’ personal data must obtain informed consent from those individuals every time they want to use data for a purpose other than that for which it was originally collected. Although the regulations would have far-reaching effects on various applications, one of the areas where they have the greatest potential for harm is medical research. The GDPR would reduce researchers’ ability to conduct lifesaving research in cancer, infections diseases, and other areas, for two reasons. First, it imposes large time and monetary costs on research that is often time-sensitive by forcing researchers to obtain consent from hundreds or thousands of patients. This forces organizations to focus their efforts on compliance rather than conducting lifesaving research. Second, it prevents researchers from accessing data from deceased patients and those who are unable to give repeated consent because the regulations provide no way for patients to give blanket consent for future uses of their data. To address these issues, the EU should revise the proposed regulations to provide a means for researchers to obtain consent that covers multiple uses of patient data, including uses after death.
One way the GDPR would impede medical research is by imposing excessive costs on researchers working on large, high-impact studies. Researchers working on an ongoing large-scale, EU-funded genetic study of colorectal cancer, for example, are using data from 7,000 EU patients. If the researchers wanted to use this meticulously compiled data in a follow-up study, they would need to obtain consent from each of these patients, any number of whom might have moved, died, or simply misplaced the researchers’ correspondence. Maximizing the reuse value of this data paid for by tax dollars means achieving a high response rate when attempting to reacquire consent, which is not only logistically difficult but also takes resources away from potentially life-saving research efforts. After all, every dollar spent on compliance is a dollar not spent doing science.
Another complication the GDPR introduces is how to handle data from deceased patients. Under the GDPR, when a patient dies, their data becomes effectively inaccessible as they are unable to give repeated consent to reuse. As the regulation is written, there is no mechanism by which individuals can “donate their data to science,” giving blanket consent for their data to be used after their death. For researchers studying rare diseases with few patients to work with, such a mechanism could be crucial to achieving meaningful sample sizes. It would be straightforward for the EU to remedy this problem, simply by providing people the ability to opt into a postmortem data reuse scheme.
The GDPR should be more explicit about when organizations must seek consent to reuse data, or better yet allow organizations to ask once for consent to reuse data for multiple related purposes. Such a framework, sometimes called “one-time consent,” would reduce costs associated with asking for repeated consent, reduce organizations’ uncertainty in determining when they might be found noncompliant, and help address the problem of obtaining consent from patients who want to continue making their data available after their death.
Because of the importance of medical research in the EU, it is critical to ensure that it proceeds as efficiently as possible. Research groups such as Science Europe (an association of major European research and research funding organizations), the League of European Research Universities, and the European Society for Medical Oncology have come out against including unreasonably burdensome regulations in the GDPR for similar reasons. Amendments are still being considered in the European Parliament and the Council of Ministers, but the EU expects to adopt the final language of the regulation in late 2014, with the rules coming into force by approximately 2016. Without modifications, the GDPR would introduce roadblocks to the medical research process that will cost lives, medical knowledge, and money for all the union’s member states.
Photo: Flickr User AIDSVaccine