Abstract
EU-US data transfers for health research remain a particularly thorny issue in view of the stringent rules of the EU General Data Protection Regulation (GDPR) and the challenges related to US mass surveillance programs, particularly the manner in which US law enforcement and national security agencies can access personal data originating from the EU. Since the entry into force of the GDPR, evidence of impeded collaborations is increasing, particularly in the case of sharing data with US public institutions. The adoption of a new EU-US adequacy decision in July 2023 does not hold the promise for a long-lasting solution due to the risks of being challenged and invalidated – yet again – at the Court of Justice of the EU. As the research community is calling for answers, the new proposal for a European Health Data Space regulation may hold a key to solving some of the existing issues. In this paper, we critically discuss the current rules and outline a possible way forward for transfers between public bodies.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Introduction
Health research relies on the use and reuse of special categories of personal data (as defined under Article 9 of the General Data Protection Regulation 2016/679 (GDPR)), such as data related to health (Article 4(15 GDPR) and genetic data (Article 4(13) GDPR)). Moreover, several types of health research are heavily dependent on the exchange of data between countries (e.g., rare disease research)1, and all health research would benefit from greater, meaningful international collaboration. International team science, networks, and consortia have been instrumental in making progress in many research areas2,3. The need to share health data across borders was further highlighted by the COVID-19 pandemic4.
The current legal framework for the conduct of (cross-border) research using health data in the EU is complex and divergent5,6,7. Clinical trials are strictly regulated and subject to mandatory ethical oversight. In this regard, the international ethical and fundamental rights rules are key. Moreover, several layers of laws interplay. First, the regulations and directives adopted at the EU level, such as the Clinical Trials Regulation 536/2014, the Medical Device Regulation 2017/746, the In Vitro Medical Devices Regulation 2017/746, and the General Data Protection Regulation (GDPR). Furthermore, new legal initiatives, as first outlined in the European Strategy for Data, have been recently adopted or are soon coming up, and hold the promise of both allowing more data to be used for research, as well as potentially further complexifying the navigation of the overall framework (e.g., Regulation 2022/868 (the Data Governance Act), Regulation 2023/2854 (the Data Act), and the European Health Data Space proposal). Each of the 27 EU Member States has national laws in the field of health research that are often conflicting. For instance, biobanking is crucial for clinical trials, but legislation for it is not harmonized at the EU level.
Even though the GDPR aimed at harmonizing the rules for the use of personal data among EU Member States, in practice fragmentation remains due to the differences in the national implementation of the law, and its diverging interpretation at local, regional, and company level7. In addition, although the GDPR laid out a regime for the use of personal data in scientific research8,9, the regulation has been criticized on various grounds, including the disruption of secondary use of data10. The health research community faces struggles with sharing data with colleagues outside of the EU, due to GDPR restrictions on international data transfers11,12,13 as well as legal obstacles on the side of non-EU countries, such as sovereign immunity (e.g., as enjoyed by federal institutions in the US, discussed below). Under the GDPR, transfers of personal data to non-EU countries or international organizations can only occur if the data is adequately protected. The rationale is that third countries may not have the same data protection standards as the EU, which could put individuals’ personal data at risk (recitals 101, 103 GDPR). Here we discuss the impediments that are posed and efforts to overcome them, focusing explicitly on EU-US collaborations. Many of these issues nevertheless apply to collaborations between the EU and other countries.
Impeded EU-US collaborations
Evidence suggests that health research collaborations between the EU and the US have been impeded since the GDPR entered into force, particularly when it comes to sharing personal data with US public institutions. With respect to federal institutions (e.g., institutions established under the Public Health Services Act, such as the US Department of Health and Human Services, its operating divisions and agencies including the National Institutes of Health (NIH), or colleges and universities funded and governed by the US federal government), the challenges are caused by the sovereign immunity that they enjoy11,13. This means that they cannot provide EU research participants with enforceable data subject rights and effective legal remedies14,15. State institutions (i.e., established under state constitutions or state statutes) may be subject to similar restrictions in state or local laws10.
Forty-seven clinical research sites in the EU could not enroll in NIH-sponsored COVID-19 therapeutic trials due to data transfer restrictions and thirty-five projects assessing genetic and environmental influences on cancer risk cannot move forward16. Other examples include reports of approximately forty clinical and observational studies on risk factors and exposures for cancer that were delayed because of the existing legal challenges12,17, a 25-year-long diabetes study that was derailed for 18 months12, the International Genomics of Alzheimer’s Project having to run isolated analyses of results due to inability to share data in real time12,18, and multiple research projects within the National Cancer Institute (NCI) Cohort Consortium that were suspended or delayed as the European partners could not proceed with data transfers19. Projects where disruptions, delays or cancellations become publicly discussed are the tip of the iceberg. Most disruptions do not reach public discussion. Moreover, many trans-continental projects do not even get launched or may modify their plans (and diminish their scope and value) because of anticipated data transfer obstacles. Even when projects do materialize somehow, the quality of the collaborative science sometimes may suffer from the restrictions.
The legal framework
Based on the guidance of the European Data Protection Board (EDPB)20 and the case law of the Court of Justice of the EU (CJEU)14,21,22, international transfers under the EU rules comprise both the disclosure of data by transmission and any other making available of data, including remote access23. A definition of international transfer, however, is not present in the GDPR itself. It is the responsibility of the data controller to choose the suitable data transfer provision. The regulation provides several routes for valid data transfers, namely: (1) adequacy decisions (Article 45), (2) appropriate safeguards (Article 46), and (3) derogations for specific situations (Article 49).
An adequacy decision is a decision of the European Commission that a third country ensures a level of data protection that is “essentially equivalent” to that ensured within the EU. With an adequacy decision in place, transfers of personal data can proceed freely, subject to the conditions in the decision itself. Until now, the European Commission has recognized only fourteen countries as providing adequate protection. In the context of EU-US data transfers, there have been two adequacy decisions (Safe Harbor and Privacy Shield) that legitimized private sector transfers made to US organizations that self-certified to the framework. The Privacy Shield also covered transfers of pharmaceutical and medical device companies, as well as transfers for regulatory and supervision purposes to US regulators. However, the needs of public sector researchers were not addressed24. Both adequacy decisions were invalidated by the CJEU due to unjustified interferences with EU fundamental rights14,22. The issue lies with US surveillance laws such as Section 702 of the US Foreign Intelligence Surveillance Act (FISA). More specifically, the court highlighted two problems with the US system: (1) US mass surveillance programs did not respect the principle of proportionality under EU law, meaning that they were unnecessarily broad and included inadequate safeguards to protect individuals’ fundamental rights and (2) it lacked effective judicial review mechanisms for EU citizens14. At the time that the Privacy Shield was invalidated, it was reported that 137 firms in the health information technology sector, 90 firms in biopharmaceuticals, 56 in medical devices, and 36 in health care services were relying on it for their transatlantic data transfers25.
In July 2023, the European Commission adopted a new EU-US adequacy decision, the so-called EU-US Data Privacy Framework (DPF)26, thus increasing the number of recognized countries to fifteen. The recent Executive Order 14086 of the US President27 was considered by the Commission as decisive for its assessment whether the required fundamental rights standard is provided in the US. However, commentators have already noted shortcomings in the EU-US DPF that contradict the requirements of the CJEU28,29. Less than two months after its adoption, the DPF was challenged before the CJEU30. While it is highly likely that it will take several years for the court to reach a decision31, the expectations that the DPF will not provide a long-term solution for EU-US data transfers already abound29.
In the absence of an adequacy decision at the level of the EU-US, personal data transfers can occur based on appropriate safeguards, which are exhaustively enumerated in the GDPR (Article 46). At the moment, the only safeguards developed in a standardized manner are the standard contractual clauses (SCC). SCCs are model contract clauses that have been approved by the European Commission and which impose GDPR-derived obligations on the recipients of the data. The Commission issued a modernized set of SCCs in 202132. Following the CJEU’s judgment on Data Protection Commission v. Facebook Ireland Ltd., Maximilian Schrems (so-called Schrems II)14, researchers now need to assess and confirm whether a third country (such as the US) provides an “essentially equivalent” level of data protection, and if not, whether additional safeguards can be implemented so that the equivalent protection can be ensured in another way24, i.e., they need to conduct a transfer impact assessment. This assessment of the law and practice of the third country has been referred to in the literature as a “mini-adequacy” decision33 and is likely to exceed the legal and financial resources of researchers exporting data24,33. Furthermore, the SCCs are not viable when the recipient entity is an arm of the US government, such as the NIH, or public universities or academic medical centers. This is linked to the issues described above with respect to the US mass surveillance programs, as well as the sovereign immunity enjoyed by US federal institutions10,11,13,15,34. The US Privacy Act of 1974 has put in place a sovereign immunity waiver for US citizens and permanent residents that grants them enforceable rights and legal remedies. Bentzen et al. have suggested that this waiver should be extended to non-US research participants whose data is processed by US federal institutions13, but until the present moment, this has not occurred. Since the entry into force of the GDPR, the NIH completed only two successful data use agreements with European partners. Both of these agreements were based on arrangements concluded under Article 46 GDPR, which are likely not scalable due to the reasons described above.
Article 46 also contains provisions that pertain specifically to transfers of personal data from EEA public bodies or authorities to public bodies in third countries or international organizations. Namely, putting in place appropriate safeguards by either (1) a legally binding and enforceable instrument between public bodies (Article 46(2)(a) GDPR), or (2) by provisions to be inserted into administrative arrangements between public bodies and subject to authorization from the competent data protection authority (Article 46(3)(b) GDPR).
As a final possibility under the GDPR, researchers are left with derogations for specific situations under Article 49. The derogations are a set of seven conditions, such as the explicit consent of the data subject for the transfer (Article 49(1)(a)), the transfer being necessary for important reasons of public interest (Article 49(1)(d)), or the transfer being necessary to protect the vital interests of the data subject (Article 49(1)(f)). Any one of the conditions alone suffices to allow the data transfer. These conditions, however, cannot be used for repetitive transfers (Article 49(1) GDPR)35.
If none of the above tools are available, the GDPR offers a last resort option under Article 49(1) paragraph 2, named by Bentzen et al. a “safety valve derogation”36. This option is applicable only upon fulfilling a complex set of cumulative conditions, i.e., the transfer should: (1) not be repetitive, (2) concern only a limited number of data subjects, (3) and be necessary for the purposes of compelling legitimate interests pursued by the controller (e.g., hospital, research institute, pharmaceutical company, or other) which are not overridden by the interests or rights and freedoms of the data subjects; the controller should (4) assess all the circumstances surrounding the data transfer, (5) provide suitable safeguards with regard to the protection of the personal data, (6) inform the data protection authority of the transfer, and (7) inform the data subjects of the transfer and on the legitimate interests pursued. Until a recently documented case, discussed below, this option had never been used to our knowledge.
The research community calls for solutions
The challenges associated with EU-US health data transfers have been subject to discussions by the research community. Numerous calls for finding a long-term legal solution have been issued in the past years. A joint initiative of the European Federation of Academies of Sciences and Humanities (ALLEA), the European Academies’ Science Advisory Council (EASAC), and the Federation of European Academies of Medicine (FEAM) recommended that a workable way forward under Article 46 GDPR (i.e., use of appropriate safeguards) should be found – either by having the wording of the existing SCCs revised or by creating additional SCCs for scientific research11,34, similar to recommendations advanced by Hallinan et al. and Ursin et al.19,24. Bentzen et al. supported use of the narrow “safety valve derogation” under Article 49(1)(2) GDPR36. They provided recommendations on how to fulfill the challenging conditions that accompany this tool and received positive feedback for its first-time use from the Norwegian data protection authority. The tool allowed the authors to re-enable data transfers in an impeded clinical trial. Although due to its resource-demanding nature, and the uncertainty as to whether other EU data protection authorities would embrace it, this tool does not provide the needed long-term solution, it is a successful example for a step in the right direction. Finally, many other scholars do not provide concrete suggestions but have repeatedly urged EU and US policymakers to find a viable solution3,10,13,18.
In addition, researchers have also looked for technical solutions to the existing challenges. As put by Hallinan et al., there are technical measures that do not involve actual data transfers and thus offer pathways to avoid the hurdles posed by GDPR rules1. Technical ways forward may include data visitation24, federated analyses37, and other privacy-enhancing innovations, but currently are still riddled with practical and legal limitations for their employment37. The Research Data Alliance Working Group on Artificial Intelligence and Data Visitation, established under a grant of the European Open Science Cloud (EOSC), is an example of a recent initiative that aims to address the ethical, legal, and social challenges surrounding the uptake of such technical tools38.
The European Health Data Space as a way forward?
In May 2022, the European Commission published a proposal for a new EU regulation – the European Health Data Space (EHDS)39, which aims to build a legal framework consisting of trusted EU and Member State governance mechanisms and a secure processing environment that would allow researchers to access relevant health data. The Council of the EU and the European Parliament reached a provisional agreement on the new law in March 202440, and formal adoption by both institutions is expected later in 2024, following legal-linguistic revision. The new law establishes, inter alia, rules on the secondary use of personal health data, including the use and reuse of data for scientific research. A key role here will be played by health data access bodies (HDABs), foreseen to be public sector bodies established in EU Member States, which will be responsible for issuing permits and providing access to data in a secure processing environment (Articles 36, 37, 46 EHDS; here after reference is made to the most recent publicly available version of the EHDS regulation text, which is the provisional agreement from 18 March 2024). If several HDABs exist in one Member State, a coordinator HDAB shall be designated among them (Article 36(1) EHDS). Additionally, each Member State will have to designate a national contact point (which may be the coordinator HDAB) responsible for making health data available in a cross-border context (Article 52(1) EHDS).
The EHDS regulation contains provisions that would enable third countries – including the US – to integrate their own national points of contact with the EHDS infrastructure (Articles 47b, 52(5) and (6), 63 EHDS). To be admitted in the EHDS infrastructure, third countries would have to go through an assessment – performed by the European Commission and representatives of the national points of contact of the EU Member States - of compliance with the legal, organizational, technical, and security requirements envisaged in the EHDS regulation. Access to data in the EHDS will be performed only on an EU infrastructure and according to robust technical, organizational, and security requirements determined by the EU policymakers. Moreover, third countries will have to provide access to EU data users on equivalent terms and conditions.
Molnár-Gábor et al. have already pointed out the need to explore this opportunity as a solution to the challenges the GDPR presents for international data transfers33. In particular, in an article written prior to the institutional agreement on the EHDS regulation, they recommended that access of researchers in non-EU countries to the EHDS should not be treated as an international data transfer, while also making a pleading to reconsider the concept of “data transfer” itself (i.e., to not encompass mere access to data)33.
It is out of the scope of this perspective paper to discuss a (possible) redefining of the notion of “data transfer”. Moreover, the most recent publicly available version of the EHDS regulation confirmed that access of researchers from non-EU countries to the EHDS infrastructure will remain subject to compliance with the rules on international transfers contained in Chapter V of the GDPR (Article 52(2), Article 63 EHDS). While we agree with Molnár-Gábor et al. that the EHDS should be explored as a possible solution for cross-border research collaborations, we argue for a different route than them, one particularly interesting with respect to solving the challenges faced by US public institutions involved in health research collaborations.
To join the EHDS infrastructure, a transfer mechanism under the GDPR (as described above) would still need to be identified. As it could be expected that EU and third country national contact points for cross-border access will be public sector bodies, we suggest that the mechanisms under Article 46(2)(a) and Article 46(3)(b) GDPR (see above) should be particularly explored. The EDPB has previously adopted detailed guidelines on the application of these provisions41. As the European Commission is expected to adopt implementing acts establishing the compliance of third countries national contact points with the relevant EHDS and GDPR rules (Article 52(2) EHDS), a pragmatic solution could be to consider these acts, alongside the stringent data governance framework established by the EHDS itself, as sufficient to satisfy the appropriate safeguards criterion. Administrative arrangements put in place between EU-US public bodies acting as national contact points could refer to the implementing acts.
However, the success of this approach would depend on several conditions. First, on whether the European Commission, in its implementing acts, can provide a clear pathway as to which GDPR data transfer mechanism should be relied upon in the scope of cross-border access to data under the EHDS framework, with our recommendation being to explicitly refer to the application of Article 46(2)(a) and Article 46(3)(b) GDPR. Second, on whether the US authorities can accept to consider and prepare their application as third country in the to-be-established EHDS infrastructure, and specifically to identify the best positioned public institution to act as national contact point. Third, on whether the US would be ready to waive sovereign immunity for its national contact point.
References
Hansson, M. G. et al. The risk of re-identification versus the need to identify individuals in rare disease research. Eur. J. Hum. Genet. 24, 1553–1558 (2016).
Seminara, D. et al. The emergence of networks in human genome epidemiology: challenges and opportunities. Epidemiology 18, 1–8 (2007).
Burgio, M. R. et al. Collaborative cancer epidemiology in the 21st century: the model of cancer consortia. Cancer Epidemiol. Biomark. Prev. 22, 2148–2160 (2013).
Vlahou, A. et al. Data sharing under the General Data Protection Regulation: Time to harmonize law and research ethics? Hypertension 77, 1029–1035 (2021).
Laurie, G. et al. The Cambridge Handbook of Health Research Regulation (Cambridge Law Handbooks). (Cambridge University Press, 2021).
Hansen, J. et al. Assessment of the EU Member States’ Rules on Health Data in the Light of GDPR. Report produced for the European Commission. Available at: https://health.ec.europa.eu/system/files/2021-02/ms_rules_health-data_en_0.pdf (2021).
Lalova-Spinks, T. et al. Challenges related to data protection in clinical research before and during the COVID-19 pandemic: an exploratory study. Front. Med. 9, (2022).
Slokenberga, S. Scientific research regime 2.0? Transformations of the research regime and the protection of the data subject that the proposed EHDS regulation promises to bring along. Technol. Regul. 2022, 135–147 (2022).
Chassang, G. The impact of the EU general data protection regulation on scientific research. Ecancermedicalscience 11, 709 (2017).
Peloquin, D. et al. Disruptive and avoidable: GDPR challenges to secondary research uses of data. Eur. J. Hum. Genet. 28, 697–705 (2020).
Bovenberg, J., Peloquin, D., Bierer, B., Barnes, M. & Knoppers, B. M. How to fix the GDPR’s frustration of global biomedical research. Science 370, 40–42 (2020).
Eiss, R. Confusion over Europe’s data-protection law is stalling scientific progress. Nature 584, 498 (2020).
Bentzen, H. B. et al. Remove obstacles to sharing health data with researchers outside of the European Union. Nat. Med. 27, 1329–1333 (2021).
Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, judgment of 16 July 2020 (Grand Chamber) (ECLI:EU:C:2020:559).
Bentzen, H. B. Exchange of Human Data Across International Boundaries. Annu. Rev. Biomed. Data Sci. 5, 233–250 (2022).
Eiss, R. We must dismantle the barriers that GDPR creates for global science. Financial Times (3 January 2023).
Gourd, E. GDPR obstructs cancer research data sharing. Lancet Oncol. 22, 592 (2021).
Rabesandratana, T. Researchers sound alarm on European data law. Science 366, 936 (2019).
Ursin, G. et al. Data must be shared-also with researchers outside of Europe. Lancet 394, 1902–1903 (2019).
European Data Protection Board (EDPB) Guidelines 5/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, Version 2.0, Adopted on 14 February 2023. Available at: https://www.edpb.europa.eu/system/files/2023-02/edpb_guidelines_05-2021_interplay_between_the_application_of_art3-chapter_v_of_the_gdpr_v2_en_0.pdf.
Case C-101/01, Criminal proceedings against Bodil Lindqvist, judgment of 6 November 2003 (ECLI:EU:C:2003:596).
Case C-362/14, Maximillian Schrems v Data Protection Commissioner, judgment of 6 October 2015 (Grand Chamber) (ECLI:EU:C:2015:650).
European Data Protection Board (EDPB) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, Adopted on 18 June 2021. Available at: https://www.edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf.
Hallinan, D. et al. International transfers of personal data for health research following Schrems II: a problem in need of a solution. Eur. J. Hum. Genet. 29, 1502–1509 (2021).
Cory, N., Castro, D. & Dick, E. Schrems II: What Invalidating the EU-U.S. Privacy Shield Means for Transatlantic Trade and Innovation, Available online at: https://itif.org/publications/2020/12/03/schrems-ii-what-invalidating-eu-us-privacy-shield-means-transatlantic/ (2020).
European Commission. Commission implementing decision of 10.07.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, Brussels, 10.7.2023, C 2023 4745 Final. Available at: https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj.
Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities https://www.whitehouse.gov/briefing-room/presidentialactions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligenceactivities/?utm_source=link (2022).
NOYB. First reaction: Executive Order on US Surveillance unlikely to satisfy EU law https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law (2022).
Drechsler, L. et al. Third Time Is a Charm? The draft Data Privacy Framework for International Personal Data Transfers from the European Union to the United States CiTiP Working Paper Series https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4477120 (2023).
Latombe, P. Communiqué de presse https://www.politico.eu/wp-content/uploads/2023/09/07/4_6039685923346583457.pdf (2023).
Kayhan, H. Where are we now with the (never-ending) EU-US Data Transfers Saga? CiTiP Blog (7 November 2023).
European Commission. European Commission adopts new tools for safe exchanges of personal data. Press release (4 June 2021). Available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847.
Molnár-Gábor, F. et al. Bridging the European Data Sharing Divide in Genomic Science. J. Med. Internet Res. 24, e37236 (2022).
All European Academies, European Academies Science Advisory Council and Federation of European Academies of Medicine. International sharing of personal health data for research. Report available at: https://allea.org/wp-content/uploads/2021/03/International-Health-Data-Transfer_2021_web.pdf (2021).
European Data Protection Board (EDPB) Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, Adopted on 25 May 2018. Available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf.
Bentzen, H. B., Olav, H. K. & Ursin, G. Maximizing the GDPR potential for data transfers: first in Europe. Lancet Reg. Health Eur. 27, 100600 (2023).
Rossello, S., Diaz Morales, R. & Munoz Gonzales, L. Benefits and Challenges of Federated Learning under the GDPR (Medium, 2021).
Research Data Alliance Working Group on Artificial Intelligence and Data Visitation. More information available at: https://rd-alliance.org/groups/artificial-intelligence-and-data-visitation-aidv-wg.
European Commission. Proposal for a Regulation of the European Parliament and of the Council on the European Health Data Space COM/2022/197 Final. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52022PC0197 (2022).
Council of the European Union, Proposal for a Regulation on the European Health Data Space - analysis of the final compromise text with a view to agreement, Brussels, 18 March 2024, Interinstitutional File: 2022/0140(COD) https://www.consilium.europa.eu/media/70909/st07553-en24.pdf
European Data Protection Board (EDPB) Guidelines 2/2020 on articles 46(2)(a) and 46(3)(b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies, Version 2.0, Adopted on 15 December 2020. Available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202002_art46guidelines_internationaltransferspublicbodies_v2_en.pdf.
Acknowledgements
The authors would like to respectfully acknowledge the invaluable contributions by the late Mr Robert Eiss (US National Institutes of Health) who gave constructive comments and shared information about NIH projects impacted by the existing data transfer rules (examples cited in this paper). TL-S conducted the work for this paper as part of her PhD project at KU Leuven (2018-2023). Her PhD was supported with a scholarship awarded by the Research Foundation–Flanders (FWO), Project No. 11H3720N/11H3722N. This paper was conceived and drafted during TL-S’ research visit at Stanford University (February - March 2023). The research visit was conducted with travel and accommodation support provided by the ExACT project (European network staff eXchange for Integrating precision health in the health Care sysTems). ExACT has received funding from the European Union’s Horizon 2020 research and innovation programme MSCA-RISE-2017 Marie Skłodowska-Curie Research and Innovation Staff Exchange (RISE) under the grant agreement 823995. At the moment of publication of this article, TL-S is employed at the Department of Public Health and Primary Care, Faculty of Medicine and Health Sciences, Ghent University. The work of JPAI is supported by an unrestricted gift from Sue and Bob O’Donnell.
Author information
Authors and Affiliations
Contributions
T.L.-S., J.P.A.I., P.V., and I.H. conceived the idea for this manuscript. T.L.-S. developed the first draft. J.P.A.I., P.V., and I.H. revised the manuscript. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.
About this article
Cite this article
Lalova-Spinks, T., Valcke, P., Ioannidis, J.P.A. et al. EU-US data transfers: an enduring challenge for health research collaborations. npj Digit. Med. 7, 215 (2024). https://doi.org/10.1038/s41746-024-01205-6
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s41746-024-01205-6
- Springer Nature Limited
This article is cited by
-
Mapping the regulatory landscape for artificial intelligence in health within the European Union
npj Digital Medicine (2024)