The Issue

Biopharmaceutical innovation depends on access to sensitive data. This data, typically drawn from sources like medical records, clinical trial results, lab research, and genomic studies, is useful to identify new drug targets, validate biomarkers, design clinical trials, and train artificial intelligence (AI) systems that accelerate drug discovery and the development of new therapies. Since this research requires access to such sensitive information, privacy regulations have been implemented to safeguard data, but some of these protections can inadvertently harm medical research. Many times, economic consequences are incidentally imposed through policy constraining how firms collect and use data, reducing the breadth of data supporting the development of new biopharmaceutical innovations (as well as the incentives to do so). In addition to restricting data access, data protection regulations impose compliance costs that require firms to redirect resources toward meeting regulatory requirements, which can shape firms’ strategic choices around research and development (R&D) investments. By contrast, with the right policy support, firms could instead invest in privacy enhancing technologies (PETs) and related infrastructure, enabling compliance while also advancing biopharmaceutical innovation.

The Evidence and Its Implications

A new working paper from the Research Institute of the Finnish Economy (ETLA) investigates the effect of major data protection laws such as the as the European Union’s General Data Protection Regulation (GDPR), South Korea’s Personal Information Protection Act (PIPA), and Japan’s Act on the Protection of Personal Information (APPI) on global pharmaceutical and biotechnology firms. It finds that the introduction of strict data protection regulations leads to a substantial decline in R&D investments among global pharmaceutical and biotechnology firms.

• Overall decline in R&D spending: Four years after implementation, R&D spending fell by approximately 39 percent relative to pre-regulation levels.
• Domestic-only firms hit hardest: Companies unable to shift data-sensitive operations abroad saw R&D fall by roughly 63 percent, compared to a 27 percent decline for multinationals.
• Small and medium-sized enterprises (SMEs) disproportionately affected: SMEs reduced R&D spending by about 50 percent vs. 28 percent for larger firms.

Therefore, while data protection rules increase costs across the board, the impact is heterogeneous. Multinationals may adjust by relocating data-sensitive operations to jurisdictions with more innovation-friendly rules, but smaller and domestic firms often lack that flexibility. In aggregate, these dynamics translate into fewer novel therapies, as higher compliance costs, project delays, and regulatory complexity lead companies to scale back their R&D programs.

Takeaways for U.S. Policymakers

The United States does not have comprehensive national-level data protection regulations. Instead, it has multiple sectoral federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA), which places constraints on the collection and use of personal health information. In addition, many states have both comprehensive and sector-specific data protection laws. Overall, the United States has less restrictive regulations compared to some other jurisdictions, but the growing patchwork of laws creates high compliance costs for firms. U.S. policymakers should address this patchwork situation promptly. The U.S. biopharmaceutical industry is the most R&D-intensive industry in the world, investing more than 20 percent of its sales back into R&D each year, employing hundreds of thousands of highly skilled workers, and generating broad spillovers across the economy. If overly strict data protection regulations were to push investment abroad or force smaller firms to scale back R&D, U.S. leadership and competitiveness in biopharmaceuticals would be placed at risk.

The ETLA findings should not be read as an argument against protecting sensitive health data, but they should serve as a cautionary warning of what happens when policymakers do not consider the unintended consequences of strict data protection laws. Too often, policymakers focus on protecting individual privacy without taking into account the harmful impact of restrictions on data sharing, including the benefits that flow back to individuals and society at large.

Policymakers should ensure that data privacy protections advance—rather than inhibit—biopharmaceutical innovation so the United States remains the global leader in life-saving research.

To achieve this outcome, U.S. policymakers should pursue the following actions:

1. Reform HIPAA to facilitate data-driven medical research

HIPAA creates unnecessary hurdles to large-scale data collection and sharing essential for medical research. While HIPAA does have several mechanisms to allow data sharing for research purposes, these mechanisms are often insufficient. For example, HIPAA allows sharing de-identified data, but creating simpler rules for doing so could make it easier and less costly for firms to share data. Similarly, HIPAA allows individuals to provide consent for data sharing for a specific research study, but they often must provide consent again as new research questions arise. Requiring researchers to obtain consent repeatedly makes it much more difficult to implement large-scale longitudinal studies. Finally, HIPAA requires covered entities to only disclose the minimum necessary amount of data for a specific use, but in many cases, especially when training AI systems, disclosing the complete dataset is most useful. Better regulatory clarity, model data use agreements, and increased use of a single institutional review board for HIPAA reviews for multi-site studies would make HIPAA work better.

2. Pass innovation-friendly federal data privacy legislation

Congress should pass federal data privacy legislation that establishes basic consumer data rights, preempts state laws, ensures reliable enforcement, streamlines regulation, and minimizes the impact on innovation, including on the use of data for medical research. While HIPAA covers most U.S. healthcare data, it does not cover health data collected in other contexts, such as health data collected by consumer devices like smart watches. As Congress crafts federal data privacy legislation it should ensure that consumers can share this type of health data. In addition, Congress should establish a clear and simple way for patients to donate their medical data for research purposes, as easily as they can become an organ donor.

3. Invest in privacy enhancing technologies R&D

Privacy enhancing technologies (PETs) allow entities to access, share, and analyze sensitive data without exposing personal information. PETs can reduce privacy risks, support compliance with data protection laws, and support secure biopharmaceutical collaboration. Supporting research, development, and deployment of PETs—including differential privacy, federated learning, homomorphic encryption, secure enclaves, and secure multi-party computation—can enable more computationally intensive medical research by making it easier for different entities to access and use personal health information.