The Europe Union’s continuing efforts to regulate data in the name of privacy protection is raising growing concerns in the medical research community — and elsewhere — about the potentially costly unintended consequences of those rules. Their concerns should send a cautionary signal to U.S. policymakers considering “privacy-at-any-cost” changes to data laws and regulations without regard to their negative effects.
Case in point: Last March, the European Union proposed the General Data Protection Regulation (GDPR). The new privacy rules would dramatically harm the ability of researchers to conduct medical research throughout all of its member states. If allowed to pass in its current form, many in the medical community believe the GDPR could cost the European Union not only medical knowledge and money, but human lives as well.
The GDPR was created to protect Europeans’ personal data. In pursuit of this goal, it forces organizations that process personal data to obtain informed consent each time they want to use that data for a purpose other than for what it was originally collected. As the Center for Data Innovation’s Travis Korte has argued, while these regulations have chilling effects on many big data initiatives, their greatest potential for harm is in medical research.
Every day, researchers analyze data in an attempt to solve many of today’s pressing medical problems, from unlocking the cure to cancer to slowing the outbreak of Ebola. Unfortunately, the GDPR would greatly hinder these efforts by making it more difficult to reuse data and by greatly increasing overall costs to researchers.
Under the proposed rules, each time a researcher reuses data or does a follow-up study, he or she must obtain consent from each patient in the original study — many of whom may have moved, died or misplaced the researcher’s correspondence. This creates burdensome hurdles that are not only logistically difficult and sometimes completely infeasible, but limit the reusability of important, lifesaving data. For example, under the GDPR, when a patient dies, their data becomes effectively unreachable because he or she is unable to give consent for reuse.
By enforcing this policy, Europe would effectively outlaw big health databases like the United Kingdom’s National Health Service database, which gathers records from patients in England to spot side effects for new drugs and detect outbreaks of infectious diseases.
This policy would also levy burdensome costs on researchers who are often already strapped for funds. Medical researchers would face excessive time and fiscal costs if they are forced to re-obtain explicit consent from hundreds of thousands of patients every time they use a data set. For example, one E.U.-funded project used data from 7,000 patients to conduct a genetic study of colorectal cancer.
By compelling researchers to spend more resources on compliance, their focus will be diverted from what matters most, their lifesaving research. Data takes time and energy to compile and process. Could you imagine how costly it would be to find and obtain consent from each of those 70,000 patients — especially for a follow-up study months or years down the road — long after they have already consented?
A lot of the European Union’s tax revenue, not to mention the tax revenue of individual member states, goes to medical research. In fact, from 2007 to 2013 the E.U. spent €6.1 billion ($7.8 billion) on medical research, discounting individual member countries’ efforts. Therefore, it stands to reason that Europeans would want to get more “bang for their buck” by reusing data across multiple studies. By maximizing the reuse value of data, the European Union can maximize the potential of their tax dollars, and researchers can make sure that every dollar counts.
There are many solutions that could be incorporated into the GDPR to help it address these problems. For use of data after death, the GDPR should offer a mechanism to “donate your data to science,” giving blanket consent for a patient’s data to be used after their death. This would allow researchers that are studying rare diseases with limited access to patients to achieve effective sample sizes. The GDPR should also be more explicit about when organizations must seek consent to reuse data, or allow organizations to ask once to obtain consent for the reuse of data for multiple purposes. This “one-time consent” framework would reduce costs and regulatory uncertainty for organizations, as well as help address the problem of consent after death.
The European Parliament is still in the amendments phase, and the European Union is not expected to adopt final language for GDPR until late 2014, with final rules coming into force by 2016. The Europe Union should use this opportunity to increase the GDPR’s cost-effectiveness and promote medical research to help save lives.
The lesson here for U.S. lawmakers is that blindly pursuing ever-more-stringent privacy regulations can seriously harm consumer health and welfare. As Congress considers initiatives like 21st Century Cures to accelerate technology-aided innovation in health care, it should avoid overly prescriptive privacy proposals that risk chilling advancement in medicine and other fields. Instead, policymakers should craft narrowly targeted rules to mitigate specific harms, protect individual privacy and ensure medical research can flourish.
Alan McQuinn is a research assistant with the Information Technology and Innovation Foundation. Prior to joining ITIF, he was a telecommunications fellow for Rep. Anna Eshoo, an honorary co-chairwoman of ITIF. While part of the California Democrat’s team, McQuinn assisted with research and analysis for a variety of issues related to information technology and telecommunications.