1932

Abstract

There is a need to share personal data across jurisdictional boundaries. However, the laws regulating such transfers are not harmonized, and sometimes even conflict, causing challenges and occasional data stalls. This review describes the legal landscape for transfer of human data across international boundaries. The European Union's data protection legislation is used as the starting point for illustrating the legislation of countries across the world, how these diverge, and one's options for exchanging human data internationally in a legally compliant manner.

Loading

Article metrics loading...

/content/journals/10.1146/annurev-biodatasci-122220-110811
2022-08-10
2024-04-17
Loading full text...

Full text loading...

/deliver/fulltext/biodatasci/5/1/annurev-biodatasci-122220-110811.html?itemId=/content/journals/10.1146/annurev-biodatasci-122220-110811&mimeType=html&fmt=ahah

Literature Cited

  1. 1.
    ALLEA (Eur. Fed. Acad. Sci. Humanit.), EASAC (Eur. Acad. Sci. Advis. Counc.), FEAM (Fed. Eur. Acad. Med.) 2021. International sharing of personal health data for research Tech. Rep. ALLEA, EASAC, FEAM Brussels/Berlin: https://easac.eu/fileadmin/PDF_s/reports_statements/Health_Data/International_Health_Data_Transfer_2021_web.pdf
  2. 2.
    The Orphan Drug Act of 1983. 21 U.S.C. Ch. 9 § 301 et seq .
  3. 3.
    Eur. Parliam., Eur. Counc 2000. Regulation (EC) no. 141/2000 of the European Parliament and of the Council of 16 December 1999 on orphan medicinal products. Off. J. L 18/1
    [Google Scholar]
  4. 4.
    Eur. Counc 2009. Council recommendation of 8 June 2009 on an action in the field of rare diseases. Off. J. C 151/7
    [Google Scholar]
  5. 5.
    Perkins BA, Caskey CT, Brar P, Dec E, Karow DS et al. 2018. Precision medicine screening using whole-genome sequencing and advanced imaging to identify disease risk in adults. PNAS 115:143686–91
    [Google Scholar]
  6. 6.
    Njølstad PR, Andreassen OA, Brunak S, Børglum AD, Dillner J et al. 2019. Roadmap for a precision-medicine initiative in the Nordic region. Nat. Genet. 51:924–30
    [Google Scholar]
  7. 7.
    Zhang Y, Qi G, Park JH, Chatterjee N. 2018. Estimation of complex effect-size distributions using summary-level statistics from genome-wide association studies across 32 complex traits. Nat. Genet. 50:1318–26
    [Google Scholar]
  8. 8.
    Ursin G, Stenbeck M, Chang-Claude J, Gunter M, Kaaks R et al. 2019. Data must be shared—also with scientists outside of Europe. Lancet 394:102121902–3
    [Google Scholar]
  9. 9.
    R. Soc 2019. Protecting privacy in practice: the current use, development and limits of privacy enhancing technologies in data analysis Tech. Rep., R. Soc. London: https://royalsociety.org/-/media/policy/projects/privacy-enhancing-technologies/privacy-enhancing-technologies-report.pdf
  10. 10.
    Eur. Parliam., Eur. Counc 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off. J. L 119/1
    [Google Scholar]
  11. 11.
    Eur. Parliam., Eur. Counc., Eur. Comm 2012. Charter of fundamental rights of the European Union. Off. J. C 326/02
    [Google Scholar]
  12. 12.
    EU Memb. States 2012. Consolidated version of the treaty on the functioning of the European Union. Off. J. C 326/47
    [Google Scholar]
  13. 13.
    Bentzen HB, Høstmælingen N. 2019. Balancing protection and free movement of personal data: the new European Union General Data Protection Regulation. Ann. Intern. Med. 170:5335–37
    [Google Scholar]
  14. 14.
    Bentzen HB 2020. In the name of scientific advancement: how to assess what constitutes ‘scientific research’ in the GDPR to protect data subjects and democracy. Disinformation and Digital Media as a Challenge for Democracy G Terzis, D Kloza, E Kużelewska, D Trottier 341–66 Cambridge, UK: Intersentia
    [Google Scholar]
  15. 15.
    Counc. Eur 1981. Convention for the protection of individuals with regard to automatic processing of personal data Conv. 108 Counc. Eur. Strasbourg, France:
  16. 16.
    Counc. Eur 2018. Convention for the protection of individuals with regard to the processing of personal data Conv. 108+ Counc. Eur. Helsingør, Denmark:
  17. 17.
    Counc. Eur 2022. Chart of signatures and ratifications of Treaty 223: protocol amending the convention for the protection of individuals with regard to automatic processing of personal data Web Resour. Counc. Eur. Strasbourg, France: accessed April 12. https://www.coe.int/en/web/conventions/full-list?module=signatures-by-treaty&treatynum=223
  18. 18.
    Altman RB, Levitt M. 2018. What is biomedical data science and do we need an annual review of it?. Annu. Rev. Biomed. Data Sci. 1:i–iii
    [Google Scholar]
  19. 19.
    Bak MAR, Ploem MC, Ateşyürek H, Blom MT, Tan HL, Willems DL. 2020. Stakeholders’ perspectives on the post-mortem use of genetic and health-related data for research: a systematic review. Eur. J. Hum. Genet. 28:403–16
    [Google Scholar]
  20. 20.
    Parliam. Den 2018. Lov om supplerende bestemmelser til forordning om beskyttelse af fysiske personer i forbindelse med behandling af personoplysninger og om fri udveksling af sådanne oplysninger (databeskyttelsesloven) [Act on supplementary provisions to the regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such data (data protection act)]. Lov nr 502 af 23/05/2018. https://www.retsinformation.dk/Forms/R0710.aspx?id=201319
  21. 21.
    State Assem. Estonia 2018. Isikuandmete kaitse seadus [Personal data protection act]. https://www.riigiteataja.ee/akt/104012019011
  22. 22.
    Artic. 29 Data Protect. Work. Party 2007. Opinion 4/2007 on the concept of personal data Work. Pap. 136, Artic. 29 Data Protect Work. Party Brussels:
  23. 23.
    EDPB (Eur. Data Protect. Board) 2021. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data: version 2.0 Regul. Recommend., EDPB Brussels:
  24. 24.
    EDPB (Eur. Data Protect. Board) 2021. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR Regul. Guidel., EDPB Brussels:
  25. 25.
    Kuner C 2020. Transfers of personal data to third countries or international organisations (Articles 44–50). The EU General Data Protection Regulation (GDPR): A Commentary C Kuner, LA Bygrave, C Docksey 153–209 Oxford: Oxford Univ. Press
    [Google Scholar]
  26. 26.
  27. 27.
    EC (Eur. Comm.) 2002. Commission decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act. Off. J. L 2/13
    [Google Scholar]
  28. 28.
    Smith ID, Villiers T, Freeman G. 2021. Taskforce on innovation, growth and regulatory reform Tech. Rep. Taskforce Innov. Growth Regul. Reform London: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/994125/FINAL_TIGRR_REPORT__1_.pdf
  29. 29.
    EDPB (Eur. Data Protect. Board) 2021. Opinion 14/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the United Kingdom Regul. Decis., EDPB Brussels:
  30. 30.
    Eur. Parliam 2021. Resolution of 21 May 2021 on the adequate protection of personal data by the United Kingdom (2021/2594(RSP)). Off. J. C 15/218
    [Google Scholar]
  31. 31.
    Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems Case C-311/18, ECLI:EU:C:2020:559
  32. 32.
    Google 2021. United States national security requests for user information Transpar. Rep. Google Mountain View, CA: accessed April 2022. https://transparencyreport.google.com/user-data/us-national-security?hl=en
  33. 33.
    Microsoft 2021. US national security orders report Transpar. Rep. Microsoft Redmond, WA: accessed April 2022. https://www.microsoft.com/en-us/corporate-responsibility/us-national-security-orders-report?activetab=pivot_1%3aprimaryr2
  34. 34.
    Newsbeezer 2021. France confirms its Health Data Hub will leave Microsoft's servers. Newsbeezer May 18. https://newsbeezer.com/franceeng/france-confirms-its-health-data-hub-will-leave-microsofts-servers/
    [Google Scholar]
  35. 35.
    Dir. e-helse 2021. Setter arbeidet med Helseanalyseplattformen på pause. Press Release Dec. 15 Dir. e-helse, Oslo: https://www.ehelse.no/aktuelt/setter-arbeidet-med-helseanalyseplattformen-pa-pause
    [Google Scholar]
  36. 36.
    EDPB (Eur. Data Protect. Board) 2021. Letter to ENISA regarding the European Cybersecurity Certification Scheme for Cloud Services (EUCS) Regul. Letter, EDPB Brussels: https://edpb.europa.eu/system/files/2021-11/edpb_letter_to_enisa_out2021-00157.pdf
  37. 37.
    Eur. Parliam 2021. Resolution of 20 May 2021 on the ruling of the CJEU of 16 July 2020—Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (‘Schrems II’), Case C-311/18 (2020/2789(RSP)). Off. J. C 15/176
    [Google Scholar]
  38. 38.
    White House 2022. United States and European Commission announce Trans-Atlantic Data Privacy Framework Press Release, Mar. 22 White House Washington, DC:
  39. 39.
    EC (Eur. Comm.) 2022. European Commission and United States joint statement on Trans-Atlantic Data Privacy Framework Press Release, Mar. 25 Eur. Comm. Brussels:
  40. 40.
    EC (Eur. Comm.) 2022. Trans-Atlantic Data Privacy Framework Fact Sheet, Eur. Comm. Brussels: https://ec.europa.eu/commission/presscorner/detail/en/FS_22_2100
  41. 41.
    EDPB (Eur. Data Protect. Board) 2022. Statement 01/2022 on the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework Press Statement Apr. 6, EDPB Brussels:
  42. 42.
    noyb 2022.. Privacy Shield 2.0?” First reaction by Max Schrems Press Statement Mar. 25, noyb Vienna: https://noyb.eu/en/privacy-shield-20-first-reaction-max-schrems
  43. 43.
    EDPB (Eur. Data Protect. Board) 2021. EDPB work programme 2021/2022 Work Program, EDPB Brussels: https://edpb.europa.eu/system/files/2021-03/edpb_workprogramme_2021-2022_en.pdf
  44. 44.
    Rabesandratana T. 2019. European data law is impeding studies on diabetes and Alzheimer's, researchers warn. Science Nov. 20. https://www.science.org/content/article/european-data-law-impeding-studies-diabetes-and-alzheimer-s-researchers-warn
    [Google Scholar]
  45. 45.
    Eiss R. 2020. Confusion over Europe's data-protection law is stalling scientific progress. Nature 584:498
    [Google Scholar]
  46. 46.
    Bentzen HB, Castro R, Fears R, Griffin G, ter Meulen V, Ursin G. 2021. Remove obstacles to sharing health data with researchers outside of the European Union. Nat. Med. 27:1329–33
    [Google Scholar]
  47. 47.
    U.N. Secr 2020. Comments of the United Nations Secretariat on behalf of the United Nations System Organizations on the “Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies” adopted by the European Data Protection Board on 18 January 2020 Public Comment., May 14 U.N. Secr. New York: https://edpb.europa.eu/sites/edpb/files/webform/public_consultation_reply/2020.05.14_letter_to_edpb_chair_with_un_comments_on_guidelines_2-2020.pdf
  48. 48.
    EDPB (Eur. Data Protect. Board) 2020. Letter to Miguel de Serpa Soares Regul. Lett., Oct. 7 EDPB Brussels: https://edpb.europa.eu/sites/default/files/files/file1/edpb_letter_out2020-0109_un.pdf
  49. 49.
    EDPB (Eur. Data Protect. Board) 2021. Letter to Miguel de Serpa Soares Regul. Lett. May 19, EDPB Brussels: https://edpb.europa.eu/system/files/2021-05/edpb_letter_out2021-0086_un_en.pdf
  50. 50.
    EDPB (Eur. Data Protect. Board) 2021. Letter to Miguel de Serpa Soares Regul. Lett., Nov. 18 EDPB Brussels: https://edpb.europa.eu/system/files/2021-11/edpb_letter_out2021-00156_un_en.pdf
  51. 51.
    Bovenberg J, Peloquin D, Bierer B, Barnes M, Knoppers BM. 2020. How to fix the GDPR's frustration of global biomedical research. Science 370:651240–42
    [Google Scholar]
  52. 52.
    Maximillian Schrems v Data Protection Commissioner Case C-362/14, ECLI:EU:C:2015:650
  53. 54.
    EC (Eur. Comm.) 2022. Standard contractual clauses (SCC) Web Resour Eur. Comm. Brussels: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
  54. 55.
    Mascalzoni D, Bentzen HB, Budin-Ljøsne I, Bygrave LA, Bell J et al. 2019. Are requirements to deposit data in research repositories compatible with the European Union's General Data Protection Regulation?. Ann. Intern. Med. 170:5332–34
    [Google Scholar]
  55. 56.
    Ursin G, Bentzen HB. 2021. Open science and sharing personal data widely—legally impossible for Europeans?. Acta Oncol 60:121555–56
    [Google Scholar]
  56. 57.
    Peloquin D, DiMaio M, Bierer B, Barnes M. 2020. Disruptive and avoidable: GDPR challenges to secondary research uses of data. Eur. J. Hum. Genet. 28:697–705
    [Google Scholar]
  57. 58.
    EDPB (Eur. Data Protect. Board) 2020. Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies: version 2.0 Regul. Guidel., EDPB Brussels:
  58. 59.
    EDPB (Eur. Data Protect. Board) 2019. Opinion 4/2019 on the draft administrative arrangement for the transfer of personal data between European Economic Area (“EEA”) financial supervisory authorities and non-EEA financial supervisory authorities Regul. Opin., EDPB Brussels:
  59. 60.
    EDPB (Eur. Data Protect. Board) 2022. Guidelines 04/2021 on codes of conduct as tools for transfers: version 2.0 Regul. Guidel., EDPB Brussels:
  60. 61.
    Phillips M, Molnár-Gábor F, Korbel JO, Thorogood A, Joly Y et al. 2020. Genomics: data sharing needs an international code of conduct. Nature 578:31–33
    [Google Scholar]
  61. 62.
    Artic. 29 Data Protect. Work. Party 2018. Working document setting forth a co-operation procedure for the approval of “binding corporate rules” for controllers and processors under the GDPR White Pap. 263 rev.01, Artic. 29 Data Protect Work. Party Brussels:
  62. 63.
    Artic. 29 Data Protec. Work. Party 2018. Recommendation on the standard application for approval of controller binding corporate rules for the transfer of personal data White Pap. 264, Artic. 29 Data Protect Work. Party Brussels:
  63. 64.
    Artic. 29 Data Protect. Work. Party 2018. Recommendation on the standard application form for approval of processor binding corporate rules for the transfer of personal data White Pap. 265, Artic. 29 Data Protect Work. Party Brussels:
  64. 65.
    Artic. 29 Data Protect. Work. Party 2018. Working document setting up a table with the elements and principles to be found in binding corporate rules White Pap. 256 rev.01, Artic. 29 Data Protect Work. Party Brussels:
  65. 66.
    Artic. 29 Data Protect. Work. Party 2018. Working document setting up a table with the elements and principles to be found in processor binding corporate rules White Pap. 257 rev.01, Artic. 29 Data Protect Work. Party Brussels:
  66. 67.
    EDPB (Eur. Data Protect. Board) 2022. Approved binding corporate rules Binding Corporate Rules Database, EDPB Brussels: accessed April 2022. https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_en
  67. 68.
    noyb 2020. 101 Complaints on EU-US transfers filed News Comment. Aug. 17, noyb Vienna: https://noyb.eu/en/101-complaints-eu-us-transfers-filed?mtc=nl
  68. 69.
    EDPB (Eur. Data Protect. Board) 2020. European Data Protection Board: thirty-seventh plenary session: guidelines controller-processor, guidelines targeting social media users, taskforce complaints CJEU Schrems II judgement, taskforce supplementary measures Press Release Sept. 4, EDPB Brussels: https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_en
  69. 70.
    noyb 2022. Austrian DSB: EU-US data transfers to Google Analytics illegal News Comment. Jan. 13, noyb Vienna: https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-analytics-illegal?mtc=nl
  70. 71.
    CNIL (Comm. Natl. Inform. Lib.) 2022. Use of Google Analytics and data transfers to the United States: The CNIL orders a website manager/operator to comply Press Release Feb. 10, CNIL Paris:
  71. 72.
    EDPS (Eur. Data Protect. Superv.) 2022. Decision of the European Data Protection Supervisor in complaint case 2020–1013 submitted by Members of the Parliament against the European Parliament Regul. Decis., EDPS Brussels: https://noyb.eu/sites/default/files/2022-01/Case%202020-1013%20-%20EDPS%20Decision_bk.pdf
  72. 73.
    [Google Scholar]
  73. 74.
    EDPB (Eur. Data Protect. Board) 2018. Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 Regul. Guidel., EDPB Brussels:
  74. 75.
    EDPB (Eur. Data Protect. Board) 2020. Guidelines 05/2020 on consent under Regulation 2016/679: version 1.1 Regul. Guidel., EDPB Brussels:
  75. 76.
    EDPB (Eur. Data Protect. Board) 2020. Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak Regul. Guidel., EDPB Brussels:
  76. 77.
    Dove ES, Chen J, Loideain NN 2021. Raising standards for global data-sharing. Science 371:6525133–34
    [Google Scholar]
  77. 78.
    EU-US TTC (Trade Technol. Counc.) 2021. EU-US Trade and Technology Council inaugural joint statement Pub. Statement, EU-US TTC Brussels: https://ec.europa.eu/commission/presscorner/detail/e%20n/statement_21_4951
  78. 79.
    Manancourt V, Scott M. 2021. Washington says a transatlantic data deal is close. Brussels disagrees. Politico Sept. 17. https://www.politico.eu/article/washington-transatlantic-data-deal-brussels
    [Google Scholar]
  79. 80.
    Scott M. 2022. Digital bridge: Privacy Shield update 3.0—semiconductor subsidies—EU-US policy spat. Politico Feb. 3. https://www.politico.eu/newsletter/digital-bridge/privacy-shield-update-3-0-semiconductor-subsidies-eu-us-policy-spat
    [Google Scholar]
  80. 81.
    Christakis T, Propp K, Swire P. 2021. Towards OECD principles for government access to data. Lawfare Dec. 20. https://www.lawfareblog.com/towards-oecd-principles-government-access-data
    [Google Scholar]
  81. 82.
    Hallinan D, Bernier A, Cambon-Thomsen A, Crawley FP, Dimitrova D et al. 2021. International transfers of personal data for health research following Schrems II: a problem in need of a solution. Eur. J. Hum. Genet. 29:1502–9
    [Google Scholar]
  82. 83.
    DOC (U.S. Dep. Commer.), DOJ (U.S. Dep. Justice), ODNI (U.S. Off. Dir. Natl. Intell.) 2020. Information on U.S. privacy safeguards relevant to SCCs and other EU legal bases for EU-U.S. data transfers after Schrems II White Pap., U.S. Dep. Commer. Washington, DC: https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF
    [Google Scholar]
  83. 84.
    Scott M. 2021. US offers deal to woo Europe on data. Politico Oct. 21. https://www.politico.eu/article/negotiations-for-new-transatlantic-data-deal-nudge-forward
    [Google Scholar]
  84. 85.
    Christakis T, Propp K, Swire P. 2022. EU/US Adequacy negotiations and the redress challenge: whether a new U.S. statute is necessary to produce an “essentially equivalent” solution. European Law Blog Jan. 31. https://europeanlawblog.eu/2022/01/31/eu-us-adequacy-negotiations-and-the-redress-challenge-whether-a-new-u-s-statute-is-necessary-to-produce-an-essentially-equivalent-solution/
    [Google Scholar]
  85. 86.
    Bentzen HB, Svantesson DJB 2017. Jurisdictional challenges related to DNA data processing in transnational clouds. Trans-Atlantic Data Privacy Relations as a Challenge for Democracy DJB Svantesson, D Kloza 241–62 Cambridge, UK: Intersentia
    [Google Scholar]
  86. 87.
    Internet Jurisd. Policy Netw 2019. Data & jurisdiction program: operational approaches: norms, criteria, mechanisms Tech. Rep., Internet Jurisd. Policy Netw. Paris: https://www.internetjurisdiction.net/uploads/pdfs/Papers/Data-Jurisdiction-Program-Operational-Approaches.pdf
  87. 88.
    NIPH (Nor. Inst. Pub. Health), Cancer Regist. Nor 2020. Comments on proposed EDPB Guidelines 2/2020 Tech. Comment., NIPH/Cancer Regist. Nor. Oslo: https://edpb.europa.eu/sites/edpb/files/webform/public_consultation_reply/edpb_guidelines_niph_crn_comments_20200518.pdf
  88. 89.
    NSHG-PM (Nord. Soc. Hum. Genet. Precis. Med.) 2020. Comments on EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Tech. Comment. Dec. 21, NSHG-PM. https://edpb.europa.eu/sites/default/files/webform/public_consultation_reply/nshg-pm_comments_edpb_recommendations_012020.pdf
/content/journals/10.1146/annurev-biodatasci-122220-110811
Loading
/content/journals/10.1146/annurev-biodatasci-122220-110811
Loading

Data & Media loading...

  • Article Type: Review Article
This is a required field
Please enter a valid email address
Approval was a Success
Invalid data
An Error Occurred
Approval was partially successful, following selected items could not be processed due to error