The European Union's Adequacy Approach to Privacy and International Data Sharing in Health Research.

Abstract

The European Union (EU) approach to data protection consists of assessing the adequacy of the data protection offered by the laws of a particular jurisdiction against a set of principles that includes purpose limitation, transparency, quality, proportionality, security, access, and rectification. The EU's Data Protection Directive sets conditions on the transfer of data to third countries by prohibiting Member States from transferring to such countries as have been deemed inadequate in terms of the data protection regimes. In theory, each jurisdiction is evaluated similarly and must be found fully compliant with the EU's data protection principles to be considered adequate. In practice, the inconsistency with which these evaluations are made presents a hurdle to international data-sharing and makes difficult the integration of different data-sharing approaches; in the 20 years since the Directive was first adopted, the laws of only five countries from outside of the EU, Economic Area, or the European Free Trade Agreement have been deemed adequate to engage in data transfers without the need for further administrative safeguards.