Optimising cohort data in Europe

Third, there are considerable interplay and potential contradictions between different EU jurisdictions in relation to the ethical uses and sharing of data (Townend, 2018). During the processing of health data, for instance, data controllers and data processors do not only have to take the GDPR and the corresponding national legislation into account but they also have to comply with international rights conventions (e.g. EU Clinical Regulation no: 536/2014; the Oviedo Convention and the Charter of Fundamental Rights) (Salokannel et al., 2019). In order to solve the contradiction between various jurisdictions and enable the scaling of research, researchers rely on “compute-to-data” methods where the data is not physically shared (e.g. DataSHIELD; BioSHaRE-EU). “Compute-to-data” frameworks allow combining individual-level analysis of harmonised data from various EU cohorts (regardless of whether they are held by cohort custodians or requested remotely) (Nurmi et al., 2019). Fourth, the GDPR has extremely strict information obligations for the processing of personal data and its secondary use, which significantly hinders the transfer of legacy data between biobanks (Kiehntopf, 2019). Namely, under the GDPR each participant has to be informed individually when their data is retroactively transferred to databanks (Article 13). Controllers of the initial data collection are also required to inform participants about any change in the purpose and processing of data as well as their right to forbid any transfer of their data to biobanks. Finally, biobanks should inform participants when data is transferred outside the European Economic Area (EEA) settings. It is almost impossible to obtain exceptions for such strict information requirements. Even if the participant has all the information, there is still the requirement that supplementary information should be constantly communicated as the conditions and situations change over time (Van der Wel et al., 2019). Fifth, there is some confusion between consent as a research principle (i.e. it allows the collection of data) and consent as a provision within the GDPR (van Veen, 2018). That is, consent acquires a different meaning depending on whether it is applied for concrete research aims, or for research use of data and biological materials (Beyan et al., 2020). Moreover, the GDPR relies on the compatible processing principle, meaning that data processing should be compatible with the purpose for which the data was initially collected. This contradicts the rationale of dynamic consent, which is increasingly being used in cohort data research. Namely, dynamic consent requires a constant dialogue with participants about the purpose of consent. In this context, a stress on the initial consent purpose may seem redundant (Saunders et al., 2019). This leads some researchers to question whether the GDPR framework of compatible processing should not be abandoned altogether (Machuletz & Böhme, 2019). Sixth, there is an opposition between some GDPR's principles and the ways in which cohort research is conducted, especially when digital data collection technologies are involved. Per the GDPR, researchers have to comply with the transparency requirement (Art 5(1) a). From the onset of the research project, researchers have to specify how they