GDPR v. Open Neuroimaging: The case of Europe’s data sharing dilemma

Introduction

The drive for enhanced research integrity and data sharing in neuroimaging has strong institutional support. For instance, since 2014, the Organization for Human Brain Mapping (OHBM) has championed these goals through its Committee on Best Practice in Data Analysis and Sharing (COBIDAS). A 2014 OHBM council statement declared it “an appropriate time for its membership to embrace a collective effort toward enhancing solid experimental rigor … and an openness with regards to data sharing.”¹

Reinforcing this, the COBIDAS Best Practices document further emphasises that “Data sharing is one of the cornerstones of verifiable and efficient research … [and] data should not just be “available on request”, but shared in a data repository that is well organized, properly documented, easily searchable and sufficiently resourced as to have good prospects for longevity.”²

It is this foundational principle, that research data should be openly shared in recognised repositories to maximise its value and utility, that guides this commentary. This imperative is not merely academic; many grant agencies, including the European Research Council (ERC), now mandate that data from their funded projects follow such open principles. The European Union (EU), in particular, champions an approach of making data “as open as possible, as closed as necessary.”³

Reflecting this widespread commitment, the period since the mid-2010s has seen the proliferation of large-scale open science initiatives. Notable examples include public data repositories such as OpenNeuro,⁴ data structure standards such as the Brain Imaging Data Structure (BIDS),⁵ and large-scale landmark projects such as the Human Connectome Project⁶ or the UK Biobank.^7,8

Aim

Despite this clear momentum towards openness and its acknowledged benefits, a significant hurdle exists for researchers within the EU. There are legitimate and pressing concerns about the legality of making neuroimaging data freely available. This tension brings the EU’s guiding principle of being “as open as possible, as closed as necessary” into sharp focus, particularly around the interpretation of “closed as necessary.”

The General Data Protection Regulation

At the heart of these legal considerations lies the EU’s General Data Protection Regulation (GDPR),⁹ which fundamentally shapes how data can be processed and shared. While Article 1 of the GDPR indeed states an objective related to the free movement of personal data within the Union, this is strictly conditional upon adherence to its comprehensive data protection rules. Crucially, these rules and restrictions are triggered whenever data is classified as “personal data.”

To understand the scope of the GDPR in this context, two definitions are paramount. First, “personal data” is defined by the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

Second, processing encompasses “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

Thus, any neuroimaging dataset that qualifies as personal data and undergoes any form of processing falls squarely within the remit of the GDPR and its stringent requirements.

Is neuroimaging data personal data?

With the GDPR’s framework in mind, a pivotal question for the neuroimaging community is whether its data constitutes “personal data.” While a detailed legal analysis, including case law, is beyond the scope of this article, answering this question necessitates an examination of the GDPR itself.

A key provision in this regard is Recital 26 of the GDPR. Recitals, within the context of EU laws, help interpret the laws but are not intrinsically part of the law itself. This recital clarifies the status of pseudonymised data stating that:

"Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person."

It further advises that:

“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”

The critical implications of this recital are twofold: first, pseudonymised data are not exempt from the GDPR; and secondly, the capacity to single out an individual, even without explicit identification, is sufficient to classify data as personal.¹⁰

Applying these principles directly to neuroimaging, it becomes evident that these data generally fall under this classification.^11–14 Given that MRI data possesses inherently biometric characteristics, and that the “singling out” of an individual’s scan across multiple repositories is often feasible, it is reasonable to conclude that, under the GDPR, such data will consistently be considered personal data.

The need for a legal basis

The classification of neuroimaging data as personal data under the GDPR brings significant consequences for its processing. Chief among these is the requirement for researchers to identify a legal basis for any processing activity, as stipulated by Article 6 of the GDPR. For scientific research, the two most commonly considered bases are:

• 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

• 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

While consent (Article 6(1)(a)) initially appears attractive, particularly given the long-standing tradition of informed consent in research, its utility for broad data sharing under the GDPR is limited. The Regulation defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes …” the operative words are “specific” and “informed.” Consent for vaguely defined future research or for sharing across multiple unspecified projects typically fails to meet this criterion. While it is recognised in Recital 33 that ‘It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection’, consent for GDPR purposes is nevertheless interpreted to be linked to specific purposes and thus not compatible with ‘broad’ consent. Indeed, the European Data Protection Board has stated that recital 33 ‘does not disapply the obligations with regard to the requirement of specific consent’.¹⁵ Once again, a full legal academic discussion on these points is beyond the scope of this piece. As a result, reliance on consent as defined by the GDPR renders open sharing for diverse secondary uses practically unworkable.

At this point, it is crucial to distinguish between “consent” as a legal basis under the GDPR and “consent” as an ethical research principle. Ethical informed consent remains a core expectation in research, ensuring transparency and respect for participants. However, GDPR consent, used as a legal basis for data processing, requires a level of specificity and revocability that is fundamentally incompatible with open science data sharing.

The inherent limitation of the consent model often compels researchers to consider Article 6(1)(e), processing necessary for a task in the public interest, as the more appropriate, and frequently the only viable, primary legal basis for their work. However, it is important to note that Article 6(1)(e) requires a basis for processing in Union or Member State law to which the controller is subject wherein the purpose of the processing ‘shall be necessary for the performance of a task carried out in the public interest’.

Special categories of personal data

Even if a lawful basis under Article 6 is identified, neuroimaging data frequently encounters an additional layer of regulation due to its sensitive nature. MRI, as a medical imaging technique, inherently carries the possibility of revealing incidental findings, thereby potentially classifying the data as “data concerning health.” Furthermore, we have established that brain imaging data are biometric data that can be used for the purposes of uniquely identifying an individual. When these conditions are met, neuroimaging data qualifies as a “Special Category of Personal Data” under Article 9 of the GDPR.

This designation is critical because Article 9(1) prohibits the processing of such data by default. This prohibition can only be lifted if a specific derogation under Article 9(2) applies. For research contexts, the most relevant derogations are:

• Article 9(2)(a): “the data subject has given explicit consent …”

• Article 9(2)(e): “processing relates to personal data which are manifestly made public by the data subject”

• Article 9(2)(j): “processing is necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1) based on Union or Member State law…”

The challenges previously discussed with consent under Article 6 are amplified for Article 9(2)(a), which demands explicit consent, making it equally, if not more, problematic for broad data sharing compatible with open science practices. The derogation for data “manifestly made public by the data subject” (Article 9(2)(e)) is also rarely applicable in typical research scenarios due to a very narrow or strict interpretation of the legal basis given by the Court of Justice of the European Union (but not in a ruling concerning processing for research purposes – e.g., Case C-252/21), and further developed by the European Data Protection Supervisor¹⁶ and leading doctrinal analysis,¹⁷ with niche (non-EU) examples like the MyConnectome project¹⁸ being exceptions rather than the rule. Furthermore, even if processing is properly based on Article 9(2)(e), this does not avert the need for an Article 6 legal basis,¹⁹ which would likely still need to be found in the ‘public interest’ legal basis of Article 6(1)(e).

Consequently, Article 9(2)(j) often emerges as the most plausible derogation for neuroimaging research involving special categories of personal data. On its face, this provision appears to provide a dedicated pathway for scientific research. However, its practical application is also contingent upon a foundation in Union or Member State law, which must also ensure proportionality, respect for ‘the essence of the right to data protection’, and suitable and specific safeguards as per Article 89(1). It is here that the major impediment for European researchers lies. Aside from the European Health Data Space (currently in force but not yet applicable),²⁰ reliance falls on national legislation. Such national laws empowering Article 9(2)(j) may be absent in some Member States, or, where they exist, they can exhibit significant divergences, thereby undermining harmonisation and complicating collaborative, cross-border research efforts. Differences between national laws implementing Article 9(2)(j) include approaches towards ‘appropriate safeguards’, such as anonymisation and pseudonymisation, relevant to health sector research, as well as the presence (or absence) of a requirement to carry out a Data Protection Impact Assessment in respect of particular processing operations (cf²¹ for a discussion of Member State approaches).

The core data protection principles

Successfully establishing a legal basis under Article 6 and a derogation for special categories of personal data under Article 9 of the GDPR is merely the entry point into a complex web of ongoing obligations. Researchers and institutions must also adhere to the core data protection principles outlined in Article 5 of the GDPR. These include data minimisation (ensuring that data collected are not more than is necessary for a specified purpose), purpose limitation (collecting data only for clearly defined and legitimate purposes and not processing them in a manner incompatible with those purposes), and storage limitation (defining and adhering to a data retention period, after which data should typically be erased). For open science initiatives aiming for broad data reuse and long-term availability, rigorously applying these principles, particularly purpose limitation and storage limitation, presents substantial operational and conceptual challenges, casting a further shadow on the prospects for seamless international data sharing.

Information obligations and participant rights

Further compounding these obligations are the extensive information requirements mandated by Articles 13 and 14 of the GDPR. Researchers must provide participants with detailed, transparent information about all aspects of the data processing at the point of data collection. This includes the purposes of processing, legal basis, retention periods, recipients of the data (crucial for data sharing), and data subject rights. Moreover, the GDPR empowers individuals with significant data subject rights, such as the right to erasure (Article 17, ‘the right to be forgotten’) and the right to restriction of processing (Article 18). While Article 89(2) allows for certain restrictions to these rights for scientific research purposes, these restrictions are not automatic and often depend on specific conditions being met, critically, through enabling provisions in Union or Member State law. Once again, this reliance on national legislation can lead to a fragmented legal landscape within Europe, where the applicability and scope of these restrictions vary, creating uncertainty for multi-site European projects.

The international dimension

For neuroimaging research that involves collaboration outside the European Economic Area (EEA), Chapter V of the GDPR introduces another layer of complexity regarding international data transfers. Such transfers are permissible only if the third country is deemed to provide an adequate level of data protection by the European Commission (c.f. Article 45 of the GDPR), or in the absence of an adequacy decision, appropriate safeguards must be implemented. These safeguards typically include Standard Contractual Clauses adopted by the European Commission, which are generally legally and administratively demanding to implement, particularly for institutions. Data transfers to the United States have been the subject of considerable controversy. On 16 July 2020, the Court of Justice of the EU²² struck down the EU–US Privacy Shield adequacy decision, but upheld the validity of the Commission’s standard contractual clauses (SCCs) as a transfer tool. Nevertheless, SCCs remain a lawful safeguard only if the exporter and importer assess, case-by-case, whether the recipient country’s law allows the clauses to be honoured and they add “supplementary measures” whenever necessary. Thus, Transfer Impact Assessments (TIAs) and supplementary measures became mandatory for all SCC-based third-country transfers. The ruling spurred negotiations that produced the EU–US Data Privacy Framework (adequacy decision adopted in July 2023), itself already facing legal challenges (Case T-553/23).

A cumulative burden

The cumulative effect of these multifaceted GDPR obligations places a substantial administrative and legal burden on research institutions and individual neuroscientists. While these responsibilities apply to all, they can disproportionately affect smaller or less-well-resourced institutions. These centres often lack dedicated legal teams to navigate the GDPR’s complexities, the funding for compliant IT infrastructure (such as secure servers and pseudonymisation pipelines), or the administrative capacity to manage extensive documentation, thus hindering their participation in large-scale data sharing initiatives and exacerbating inequities in the research landscape. This threatens overall global competitiveness as collaboration is stifled.

Furthermore, these barriers to data sharing have a critical scientific consequence. By limiting the diversity of datasets to only those from well-resourced institutions, the generalisability of research findings is compromised. This risks generating results that are biased towards specific populations. Ironically, a regulation designed to protect individuals could inadvertently lead to scientific outcomes that are less fair and beneficial to all.

It is evident that while the GDPR (e.g. Recital 159 and Article 89) acknowledges the importance of scientific research and provides certain accommodations, the legislative intent to facilitate research can be undermined in practice. The frequent deferral of specific conditions and derogations to national laws has, as discussed, created a fragmented legal patchwork across Member States. This not only complicates compliance for multi-country studies but can also lead to legal voids where national legislation has not adequately operationalised the research provisions within the GDPR.

Pragmatism and proactivity

Expecting lawmakers to fully anticipate the intricate technical and operational realities of neuroimaging data management and sharing is unrealistic. Consequently, the onus falls upon the neuroimaging community itself, researchers, institutions, and representative bodies like the OHBM, to proactively engage with policymakers and Data Protection Authorities. Crucially, this includes fostering strong intra-European collaborations to develop and adopt harmonised data governance frameworks, ensuring that data can be processed consistently and compliantly across institutions. This engagement should aim to foster a more nuanced understanding of neuroimaging research, advocating for pragmatic, risk-based interpretations of the GDPR that align with ethical research practices, and promote harmonisation of Member State approaches. While this commentary focuses on European realities, it is crucial for international organisations to recognise that diverse global regulatory environments^23–26 present unique compliance challenges that also demand tailored support and advocacy.

The central question then remains: How can the neuroimaging community navigate these significant hurdles to foster responsible and equitable data sharing while rigorously upholding the fundamental rights and safety of our research participants?

Conclusion

To address these challenges without disadvantaging smaller institutions, a coordinated multi-level approach is essential, led by an interdisciplinary committee with representatives from neuroimaging, health informatics, and biobanking.

At the structural level, investment must prioritise federated data infrastructure, supported by enhancing dedicated European academic and medical research cloud (such as the European Open Science Cloud) to ensure data sovereignty and processing efficiency. This allows institutions to retain control over their datasets while contributing to a larger ecosystem. These efforts must be paired with pooled compliance resources to ensure that excellence in data governance and stewardship is achievable regardless of institutional size.

On a collaborative front, the community must develop and maintain shared toolkits to empower institutions. These should include recognised codes of conduct, clear data sharing decision trees, and centrally updated templates for participant information and data management plans. Crucially, this includes providing targeted training for researchers in privacy-preserving computation and code containerisation (e.g. BIDS Apps) to enable compliant, reproducible analysis workflows.

Finally, on a legal front, collective advocacy is needed to harmonise national regulations and develop proportionate, risk-based compliance frameworks that recognise the specific context of neuroimaging research.

Without progress on all these fronts, Europe risks a two-tiered system in which well-funded hubs share data while less-resourced teams, and the populations they serve, remain isolated. This undermines reproducibility, inclusivity, and the generalisability of findings, especially when some populations are systematically excluded from datasets due to compliance or infrastructure barriers. Realistically, compliance will only become routine when infrastructure, law, and community toolkits converge to make good practice the path of least resistance.

Acknowledgments

This work forms part of the University of Malta’s Data Integrity and Stewardship Cluster (DISC).

Funding Sources

Mireille M. Caruana and Claude J. Bajada are supported by the University of Malta (DISC Cluster Funds).

Conflicts of Interest

The authors declare no competing interests.