Alena Buyx, Director of the Institute for History and Ethics of Medicine at the Technical University of Munich (TUM) and former Chair of the German Ethics Council, criticizes the strict interpretation of data protection in Germany. She argues that it hinders research and could even cost “statistical lives.”
The EU’s General Data Protection Regulation (GDPR) explicitly grants freedoms to medical research. Despite this, Buyx believes it is still too restrictive. The GDPR is indeed data-use friendly, allowing for the secondary use of patient data without consent, provided the data is securely protected and interests are balanced. However, in Germany, there are still many obstacles to data usage that are being dismantled very slowly.
For example, until recently, there was a paragraph in the Bavarian Hospital Act stating that clinical data from patients could not leave the hospital. This rule likely originated from a time when there was concern that doctors might take records home to write medical reports. Such obstacles still exist, along with contradictory rules about which data can be stored in a register.
Harmonizing these norms would require reviewing all relevant regulations to see how they fit together. However, the bigger issue is the interpretation of data protection rules in Germany, which is much more restrictive than in other European countries like Denmark, Finland, Italy, or Spain. This significantly hampers medical research and treatment.
During the pandemic, Buyx and her colleagues conducted a small study on the GDPR’s data-use-friendly permission clause. They thought that if there was ever a time to exchange and combine data for rapid research and treatment, it was during the pandemic. Using secondary data could quickly reveal how the unknown disease progressed under different conditions and which therapies were most effective. However, they found that hardly anyone knew about or used the permission clause.
Another obstacle is the data protection impact assessment for digital technologies in hospitals, which must clarify who has access to which data and how the data flows and is stored. In Denmark, these assessments are 10 pages long, while in Germany, they can be 200 pages. Researchers in Germany have to handle data protection issues themselves, whereas in other countries, they receive clear, compliant suggestions and study designs.
In Germany, there is a “culture of fear” around health data, leading to a cautious interpretation of data protection guidelines. Researchers often face resistance and hear “no” multiple times before getting approval, which delays studies and can discourage researchers. Many international studies no longer include German researchers, which is a loss for the country.
While loosening the rules could increase the risk of data misuse, Buyx emphasizes the importance of data protection as a fundamental right. However, completely eliminating all risks is impossible, and not using the data also involves risks. Patients might miss out on new insights, suffering longer or dying earlier than necessary. Analyzing secondary patient data with AI and machine learning can help identify patterns, early warning signs of diseases, and effective therapies.
There is a need for studies to quantify potential damages in healthcare due to strict data protection. Buyx notes that people make decisions that involve statistical deaths, like speed limits or purchasing rescue helicopters, but react differently when real lives are at stake, such as in mining accidents.
Despite the challenges, Buyx remains optimistic about progress in digitalization and data use in Germany. Initiatives like the digital patient record and laws for better use of health data are steps in the right direction. However, these measures need to be implemented responsibly to ensure they benefit everyone.