Oversight of EU medical data transfers – an administrative law perspective on cross-border biomedical research administration

The notion of privacy has long had a central role in human rights law, not least in connection to health and medicine. International, regional and national bodies have enacted a number of binding and non-binding document for physicians and researchers to adhere to, in order to protect the autonomy, dignity and privacy of patients and research subjects. With the development of new technologies, the right to privacy has gained a new perspective; the right to protection of personal data within information and communication technologies. The right to data protection has been attributed an increasing importance within EU law. Accordingly, the use of health data in medical research in general and in biobank-related medical research in particular, has made data protection law highly relevant. In medical research involving biobanks, transferring human biological samples and/or individual health data is taking place on a daily basis. These transfers involve several oversight bodies, institutional review boards (IRBs), research ethics committees, or even data protection authorities. This article investigates the role of these national oversight bodies in the transfer of health data in cross-border research, from an EU law point of view. A special focus is laid on transfer of health data for research purposes from the EU to the US, in the light of the recently enacted EU-US Privacy Shield. The main question posed is how American oversight bodies for medical research can be expected to handle the increasingly strict EU requirements for the processing of health data in medical research review.