International transfers of health data between the EU and USA: a sector-specific approach for the USA to ensure an 'adequate' level of protection.
International health research increasingly depends on collaboration and combination using medical data to advance treatment and drug discovery. The European Union (EU), through its General Data Protection Regulation, has tightened the rules for sharing data across borders to protect individual privacy. These new rules threaten cooperation between the EU and the USA, the two largest public funders of biomedical research. This article analyzes the primary pathway for sharing research data with the USA, the US-EU Privacy Shield, and argues that the Shield is ill-suited to support complex health studies. Its legitimacy is in question under both EU and US law, and its terms are too restrictive for the variety of exchanges underlying research, treatment, and care. As an alternative, we propose that the USA seek an additional sector-based adequacy determination based on the existing US health privacy law, the Health Insurance Portability and Accountability Act. A sector-specific approach to adequacy for health would avoid many of the most contentious issues that divide the USA and EU on data protection. It could also serve as a model for other third-party jurisdictions and facilitate international harmonization of health research practices.
Novo Nordisk Foundation (via University of Copenhagen) (NNF17SA0027784)