Learn how GA4GH helps expand responsible genomic data use to benefit human health.
Learn how GA4GH helps expand responsible genomic data use to benefit human health.
Our Strategic Road Map defines strategies, standards, and policy frameworks to support responsible global use of genomic and related health data.
Discover how a meeting of 50 leaders in genomics and medicine led to an alliance uniting more than 5,000 individuals and organisations to benefit human health.
GA4GH Inc. is a not-for-profit organisation that supports the global GA4GH community.
To guide our collaborative, globe-spanning alliance, GA4GH relies on a Standards Steering Committee and an Executive Committee.
The Funders Forum brings together organisations that offer both financial support and strategic guidance.
The EDI Advisory Group responds to issues raised in the GA4GH community, finding equitable, inclusive ways to build products that benefit diverse groups.
Distributed across four Host Institutions, our staff team supports the mission and operations of GA4GH.
Curious who we are? Meet the people and organisations across six continents who make up GA4GH.
More than 500 organisations connected to genomics — in healthcare, research, patient advocacy, industry, and beyond — have signed onto the mission and vision of GA4GH as Organisational Members.
These core Organisational Members are genomic data initiatives that have committed resources to guide GA4GH work and pilot our products.
This subset of Organisational Members whose networks or infrastructure align with GA4GH priorities has made a long-term commitment to engaging with our community.
Local and national organisations assign experts to spend at least 30% of their time building GA4GH products.
Anyone working in genomics and related fields is invited to participate in our inclusive community by creating and using new products.
Wondering what GA4GH does? Learn how we find and overcome challenges to expanding responsible genomic data use for the benefit of human health.
Study Groups define needs. Participants survey the landscape of the genomics and health community and determine whether GA4GH can help.
Work Streams create products. Community members join together to develop technical standards, policy frameworks, and policy tools that overcome hurdles to international genomic data use.
GIF solves problems. Organisations in the forum pilot GA4GH products in real-world situations. Along the way, they troubleshoot products, suggest updates, and flag additional needs.
NIF finds challenges and opportunities in genomics at a global scale. National programmes meet to share best practices, avoid incompatabilities, and help translate genomics into benefits for human health.
Communities of Interest find challenges and opportunities in areas such as rare disease, cancer, and infectious disease. Participants pinpoint real-world problems that would benefit from broad data use.
See all our products — always free and open-source. Do you work on cloud genomics, data discovery, user access, data security or regulatory policy and ethics? Need to represent genomic, phenotypic, or clinical data? We’ve got a solution for you.
All GA4GH standards, frameworks, and tools follow the Product Development and Approval Process before being officially adopted.
Learn how other organisations have implemented GA4GH products to solve real-world problems.
Help us transform the future of genomic data use! See how GA4GH can benefit you — whether you’re using our products, writing our standards, subscribing to a newsletter, or more.
Help create new global standards and frameworks for responsible genomic data use.
Align your organisation with the GA4GH mission and vision.
Solve your real-world data problems with support from this valuable network of global institutions.
Work with like-minded groups committed to better data use in areas like rare disease, cancer, and infectious disease.
Share your thoughts on all GA4GH products currently open for public comment.
Solve real problems by aligning your organisation with the world’s genomics standards. We offer software dvelopers both customisable and out-of-the-box solutions to help you get started.
Learn more about upcoming GA4GH events. See reports and recordings from our past events.
Speak directly to the global genomics and health community while supporting GA4GH strategy.
Be the first to hear about the latest GA4GH products, upcoming meetings, new initiatives, and more.
Questions? We would love to hear from you.
Read news, stories, and insights from the forefront of genomic and clinical data use.
Attend an upcoming GA4GH event, or view meeting reports from past events.
See new projects, updates, and calls for support from the Work Streams.
Read academic papers coauthored by GA4GH contributors.
Listen to our podcast OmicsXchange, featuring discussions from leaders in the world of genomics, health, and data sharing.
Check out our videos, then subscribe to our YouTube channel for more content.
View the latest GA4GH updates, Genomics and Health News, Implementation Notes, GDPR Briefs, and more.
Discover all things GA4GH: explore our news, events, videos, podcasts, announcements, publications, and newsletters.
27 Apr 2023
Creative options exist to address the consequences of the GDPR’s approach to international transfers of research data — whether these take the form of an adequacy decision, international agreement or expanded use of derogations.
In March of last year, President Joseph Biden and European Union President Ursula von der Leyen committed to a transatlantic framework to restore commercial data flows, halted in 2020 with the invalidation of the U.S.-E.U. Privacy Shield by the European Court of Justice. This is a positive and long-anticipated step forward. Negotiations are progressing to frame a new adequacy decision, recognizing the essential equivalence of U.S. and E.U. data protection standards. Hopefully, a concluded agreement might create shared political resolve to find solutions to current data transfer impediments in the public and non-commercial sectors that arose from the General Data Protection Regulation (GDPR).
As outlined in prior Forum commentary, the GDPR offers few available pathways for long-term data transfers for many governmental agencies and research universities outside the European Economic Area. In the U.S., this largely is due to intractable conflicts with statutes and regulations, as well as principles of sovereign immunity (e.g., GDPR provisions specifying indemnification, auditing of data systems by a foreign entity, submitting to the jurisdiction of foreign courts). For the genomics community and others, the resulting alternatives to present data sharing bottlenecks are remote access, federated systems, or distributed analysis. Rather than share pseudonymized data in real time, U.S. and E.U. colleagues run identical but isolated analyses, pooling results using summary meta-analysis. A representative case is the International Genomics of Alzheimer’s Project, where U.S. sites cannot receive E.U. data to an imputation server, nor pool data on a single server.
Creative options, however, do exist to address the consequences of the GDPR’s approach to international transfers of research data — whether these take the form of an adequacy decision, international agreement or expanded use of derogations. Several may require amendments to the European Data Protection Board guidance. Following are possible solutions to explore.
1. Negotiate a sectoral adequacy decision
The emerging U.S.-E.U. Transatlantic Data Sharing Framework may provide a suggestive model for data transfers in biomedical research and related regulatory activities. Although U.S. and E.U. share similar protections enshrined in privacy law, realizing an adequacy decision for scientific data transfers may require extensions of U.S. privacy legislation, or alternative measures that ensure equivalency with the GDPR. This may include areas of access, rectification, and retention of data; judicial redress; powers and independence of oversight authorities; and safeguards with respect to sharing of personal data with non-federal authorities.
However, potential frameworks do exist which might be extended or adapted. For example, the U.S. enacted the Judicial Redress Act (JRA) in 2015 to implement the redress requirements of the Data Privacy and Protection Agreement (DPPA). The JRA established a right for citizens of designated countries to bring suit in federal courts for certain Privacy Act violations, in the context of criminal law enforcement.
2. Conclude an international agreement
Unlike adequacy decisions, international agreements with the E.U. become part of E.U. law, largely independent from GDPR requirements if consistent with the E.U. Charter of Fundamental Rights. Such a scheme, establishing mutually agreed safeguards, must be approved by the European Council and European Parliament. An approved agreement would constitute a lengthy process, with layered political complexities. However, it may present the most stable solution. Formal endorsement by both Council and Parliament may insulate the arrangement from the type of judicial challenge which nullified Privacy Shield and its predecessor agreement “Safe Harbor.” Active U.S.-E.U. data sharing agreements include an umbrella agreement under the DPPA, noted above.
3. Expand Article 46 transfer mechanisms, with appropriate safeguards
Alternatives to agreements could include adoption of standard contractual clauses for scientific research conducted by governmental and non-commercial entities, or a scalable non-binding administrative arrangement (AA) among public institutions. One prospect may be to explore the feasibility of a blanket AA for EDPB review. If a positive opinion is secured, other public bodies and affiliates could join as signatories to the AA. Establishing an AA with a broad “docking” function would help resolve the often-varying interpretations of AA requirements among member states and offer legal assurances.
As with an adequacy decision, a sovereign immunity waiver providing data rights and redress for non-U.S. research participants likely may be a threshold requirement. To date, the use of AA’s is uncommon. However, the Public Company Accounting Board, which regulates auditors of publicly traded companies, successfully established two administrative arrangements with European authorities.
4. Expand use of Article 49 derogations
These exceptions allow for transfers of E.U. personal data in the absence of an adequacy decision, agreement or Article 46 transfer mechanism. Expanded use of derogations may provide an expedient solution for many transfers. Although the EDPB requires that derogations “must be interpreted restrictively” and allow only “occasional” and “not repetitive” transfers, the Schrems II judgment signaled that a broader, more permissive interpretation of derogations may be appropriate. Moreover, in an amicus brief before the U.S. Supreme Court, the European Commission suggested that both the “public interest” and “legitimate interest” derogations may have broader application.
EU institutions are unlikely to accept derogations as a long-term remedy for routine transfers of personal data but may be willing to consider this prospect as an interim measure while other legally available solutions are jointly explored.
The GDPR represents the most comprehensive data privacy regulation in two decades. Many countries are aligning with or adopting the requirements of the GDPR in national legislation. Achieving a durable legal basis for transatlantic data transfers will set an important global precedent.
Relevant GDPR Provisions
This commentary is solely the responsibility of the author and does not necessarily represent the official views of the U.S. Department of Health and Human Services and the National Institutes of Health.
Robert Eiss serves as Senior Adviser, Fogarty International Center, US National Institutes of Health, in Bethesda, Maryland.
See a list of all previous briefs.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.