Expediting the development of a vaccine is a shared goal among countries to contain and mitigate the impact and risk of COVID-19. As such, cross border cooperation to develop a vaccine is a top priority. However, it raises concern as to whether there is a sufficient level of protection for health data in trans-national research, given that it lacks a standardised privacy law and cross border data flow approach among countries. This section discusses the possible options for using health data from the EU for cross border health research.

First, the European Commission (EC) has set out an adequacy decision based on the Directive 95/46/EC. Members countries in the EU and European Economic Area (EEA) transfer health data to countries outside the EU that have an adequate level of personal data protection; specifically, this data can be transferred if their legal system fulfils the requirements under Article 45(2)(a) of the GDPR. It takes into consideration – but is not limited to – domestic privacy laws and human rights protection.[1] If a non-EU country has an adequate level of personal data protection, it is not required to adopt additional safeguards.[2] There are 12 countries recognised by the EC, one of which includes New Zealand.[3] However, adequacy decisions do not apply to all sectors.[4] An international agreement between the EU and other countries also allows these parties to decide their own standard of privacy law if “it deems appropriate to ensure the protection of personal data and privacy”.[5] This flexibility allows countries to adopt different aggressive strategies in regard to collecting and processing data for tracking and monitoring the spread of COVID-19.[6]

Second, cross border data flow is allowed if countries adopt appropriate safeguards, as set out in Article 46. Article 46(2)(a) explains the transferring of genetic data for health research among countries. It is allowed if there is “legally binding and enforceable instrument between public authorities”. However, as countries have divergent approaches on domestic privacy law, they are unable to reach a common ground for establishing an enforceable instrument on cross border data flow in health research.[7] Nations may consider “standard data protection clause adopted by the Commission”. However, given the divergence of countries such as the US, EU, and China, it is unlikely that they would agree to adopting a standardised approach for data flow.

The US disagrees with the dispute resolution clause which takes place in EU courts, as well as the standard data protection clauses that restrict the ability of the US to decide its own law.[8] As such, standard data protection clauses do not apply to US entities, such as US public health authorities, universities, and research centres.[9] This unilateral measure poses an impasse on health research in the EU, which is funded by the US.[10]

Another option is that a supervisory authority could oversee the contractual clauses among institutions regarding data protection and cross-border data flow under Article 46(3)(a). However, it is doubtful whether such institutions would opt into this approach, or if the supervisory authority would act promptly during a pandemic.

Third, explicit consent may be an option for trans-border data flow, as set out in Article 49(1)(a). However, there are a number of obstacles to obtain explicit consent for secondary health research in practice, as discussed above. Furthermore, a broad consent from participants to transfer health data is not acceptable.[11] Although the EDPB states that private organisations are allowed to rely on explicit consent for health research in response to COVID-19, it lacks specific guidelines.[12]

Given the global pandemic, public interest – as set out in EU law and the domestic laws of member states – is an attractive pathway under Article 49(1)(d) and Article 49(4). However, the EDPB takes a cautious approach, in which cross border data flow for health data based on public interest should only be adopted for specific purposes.[13]Member states can adopt unilateral measures in the public interest, but it must be justified under EU law.[14]

For controllers who are private entities, they may be able to rely on legitimate interests for cross border data flow in health research if they fulfil the three steps test under Article 49(1). However, given that genetic data is highly sensitive, these private entities should adopt rigorous safeguards to protect the interests, freedom, and rights of an individual; they must also show that this is the only option available.[15]

The GDPR provides sufficient protections for transferring genetic data for health research purposes in vaccine development. However, it is unclear if there is any convergence approach in cross border data flows among nations which adopt a divergent privacy law. As such, it becomes a complicated issue because it involves sensitive data. Nations may adopt protectionism under the guise of national security, which is an obstacle against cross border data flow for health research related to vaccine development.

Table 1: US, EU, and New Zealand policies related to cross-border data flow and privacy law

[1] GDPR of 2018, Article 45(2)(a).

[2] European Commission “Adequacy Decision” at < https://ec.europa.eu/home-affairs/e-library/glossary/adequacy-decision_en> [accessed on 31 October 2020].

[3] European Commission “Adequacy Decision – How the EU determines if a non-EU country has an adequate level of data protection” at <https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en> [accessed on 31 October 2020].

[4] European Commission “Adequacy Decision – How the EU determines if a non-EU country has an adequate level of data protection” at <https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en> [accessed on 3 November 2020]. Adequacy level of data protection does not include sectors under “Police Directive” as set out in the Article 36 of EU Directive 2016/680.

[5] Federica Velli “The Issue of Data Protection in EU Trade Commitments: Cross-border Data Transfers in GATS and Bilateral Free Trade Agreement” [2019] European Papers, The International Dimension of European Integration, The external action of the EU, International trade law and policy.

[6] European Law Blog “The Coronavirus Crisis and EU Adequacy Decisions for Data Transfers” (03 April 2020) at <https://europeanlawblog.eu/2020/04/03/the-coronavirus-crisis-and-eu-adequacy-decisions-for-data-transfers/>. For example, in March 2020, the Prime Minister of Israel announced that digital tools for tracing and monitoring purposes are not required to obtain consent from an individual to collect and process their personal data, though Israel had adequate level of data protection in the past. And see also Wiewiorowski W “EU Digital Solidarity: a call for a pan-European approach against the pandemic” European Data Protection Supervisor (06 April 2020) at <https://edps.europa.eu/sites/edp/files/publication/2020-04-06_eu_digital_solidarity_covid19_en.pdf>.

[7] Leading countries such as the US, EU and China have different view on privacy law. The US adopts trade-driven approach to privacy, the EU adopts a human right driven approach and China adopts a government-driven approach. Because of the divergence among countries in privacy law, they are unable to have a convergence approach on cross border data flow.

[8] David Peloquin, Michael Dimaio, Barbara Bierer and Mark Marnes “Disruptive and avoidable: GDPR challenges to secondary research uses of data” European Journal of Human Genetics 28, 697-705 (2020) at < https://www.nature.com/articles/s41431-020-0596-x>.

[9] David Peloquin, Michael Dimaio, Barbara Bierer and Mark Marnes “Disruptive and avoidable: GDPR challenges to secondary research uses of data” European Journal of Human Genetics 28, 697-705 (2020) at < https://www.nature.com/articles/s41431-020-0596-x>.

[10] Ibid.

[11] European Data Protection Board “Guidelines 02/2018 on derogations of Article 49 under Regulation 2016/679] (05 May 2018) at < https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf>.

[12] European Data Protection Board “Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak” (2020) at <https://edpb.europa.eu/sites/edpb/files/files/file1/ edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf>[accessed 31 October 2020]

[13] European Data Protection Board “Guidelines 02/2018 on derogations of Article 49 under Regulation 2016/679] (05 May 2018) at < https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf>.

[14] European Data Protection Board “Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak” (2020) at <https://edpb.europa.eu/sites/edpb/files/files/file1/ edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf>[accessed 31 October 2020]

[15] GDPR of 2018, Article 49(1).