Public Preferences for Digital Health Data Sharing: Discrete Choice Experiment Study in 12 European Countries.

BACKGROUND: With new technologies, health data can be collected in a variety of different clinical, research, and public health contexts, and then can be used for a range of new purposes. Establishing the public's views about digital health data sharing is essential for policy makers to develop effective harmonization initiatives for digital health data governance at the European level. OBJECTIVE: This study investigated public preferences for digital health data sharing. METHODS: A discrete choice experiment survey was administered to a sample of European residents in 12 European countries (Austria, Denmark, France, Germany, Iceland, Ireland, Italy, the Netherlands, Norway, Spain, Sweden, and the United Kingdom) from August 2020 to August 2021. Respondents answered whether hypothetical situations of data sharing were acceptable for them. Each hypothetical scenario was defined by 5 attributes ("data collector," "data user," "reason for data use," "information on data sharing and consent," and "availability of review process"), which had 3 to 4 attribute levels each. A latent class model was run across the whole data set and separately for different European regions (Northern, Central, and Southern Europe). Attribute relative importance was calculated for each latent class's pooled and regional data sets. RESULTS: A total of 5015 completed surveys were analyzed. In general, the most important attribute for respondents was the availability of information and consent during health data sharing. In the latent class model, 4 classes of preference patterns were identified. While respondents in 2 classes strongly expressed their preferences for data sharing with opposing positions, respondents in the other 2 classes preferred not to share their data, but attribute levels of the situation could have had an impact on their preferences. Respondents generally found the following to be the most acceptable: a national authority or academic research project as the data user; being informed and asked to consent; and a review process for data transfer and use, or transfer only. On the other hand, collection of their data by a technological company and data use for commercial communication were the least acceptable. There was preference heterogeneity across Europe and within European regions. CONCLUSIONS: This study showed the importance of transparency in data use and oversight of health-related data sharing for European respondents. Regional and intraregional preference heterogeneity for "data collector," "data user," "reason," "type of consent," and "review" calls for governance solutions that would grant data subjects the ability to control their digital health data being shared within different contexts. These results suggest that the use of data without consent will demand weighty and exceptional reasons. An interactive and dynamic informed consent model combined with oversight mechanisms may be a solution for policy initiatives aiming to harmonize health data use across Europe.

A Normative Framework for the Reconciliation of EU Data Protection Law and Medical Research Ethics.

EU data protection law and medical research ethics overlap in scope and content in numerous instances in which personal data are processed in medical research. It is not always the case, however, that the conditions outlined by the two rule-sets precisely coincide. In the past few years, this lack of confluence has led to confusion as to how the two rule-sets should best relate to one another. This confusion has led to different approaches to the relationship being taken, on occasion leading to counter-intuitive conclusions. Unfortunately, there has hitherto been little effort to provide clarity to this confusion. In this regard, this article attempts to provide a general normative framework aimed at facilitating optimally cogent and just reconciliations of EU data protection law and medical research ethics.

International transfers of personal data for health research following Schrems II: a problem in need of a solution.

On 16 July 2020, the Court of Justice of the European Union issued their decision in the Schrems II case concerning Facebook's transfers of personal data from the EU to the US. The decision may have significant effects on the legitimate transfer of personal data for health research purposes from the EU. This article aims: (i) to outline the consequences of the Schrems II decision for the sharing of personal data for health research between the EU and third countries, particularly in the context of the COVID-19 pandemic; and, (ii) to consider certain options available to address the consequences of the decision and to facilitate international data exchange for health research moving forward.

Data Sharing Under the General Data Protection Regulation: Time to Harmonize Law and Research Ethics?

The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.

Broad consent under the GDPR: an optimistic perspective on a bright future.

Broad consent - the act of gaining one consent for multiple potential future research projects - sits at the core of much current genomic research practice. Since the 25th May 2018, the General Data Protection Regulation (GDPR) has applied as valid law concerning genomic research in the EU and now occupies a dominant position in the legal landscape. Yet, the position of the GDPR concerning broad consent has recently been cause for concern in the genomic research community. Whilst the text of the GDPR apparently supports the practice, recent jurisprudence contains language which is decidedly less positive. This article takes an in-depth look at the situation concerning broad consent under the GDPR and - despite the understandable concern flowing from recent jurisprudence - offers a positive outlook. This positive outlook is argued from three perspectives, each of which is significant in defining the current, and ongoing, legitimacy and utility of broad consent under the GDPR: the principled, the legal technical, and the practical.

Open consent, biobanking and data protection law: can open consent be 'informed' under the forthcoming data protection regulation?

This article focuses on whether a certain form of consent used by biobanks--open consent--is compatible with the Proposed Data Protection Regulation. In an open consent procedure, the biobank requests consent once from the data subject for all future research uses of genetic material and data. However, as biobanks process personal data, they must comply with data protection law. Data protection law is currently undergoing reform. The Proposed Data Protection Regulation is the culmination of this reform and, if voted into law, will constitute a new legal framework for biobanking. The Regulation puts strict conditions on consent--in particular relating to information which must be given to the data subject. It seems clear that open consent cannot meet these requirements. 4 categories of information cannot be provided with adequate specificity: purpose, recipient, possible third country transfers, data collected. However, whilst open consent cannot meet the formal requirements laid out by the Regulation, this is not to say that these requirements are substantially undebateable. Two arguments could be put forward suggesting the applicable consent requirements should be rethought. First, from policy documents regarding the drafting process, it seems that the informational requirements in the Regulation are so strict in order to protect the data subject from risks inherent in the use of the consent mechanism in a certain context--exemplified by the online context. There are substantial differences between this context and the biobanking context. Arguably, a consent transaction in the biobanking does not present the same type of risk to the data subject. If the risks are different, then perhaps there are also grounds for a reconsideration of consent requirements? Second, an argument can be made that the legislator drafted the Regulation based on certain assumptions as to the nature of 'data'. The authors argue that these assumptions are difficult to apply to genetic data and accordingly a different approach to consent might be preferable. Such an approach might be more open consent friendly.