How to navigate legal frameworks in cross border health research

When designing and implementing a health research project across countries, the first elements that research partners rush to address revolve around the technological implementation and use cases’ execution. However, before any data is collected and any patients recruited, a quieter, less glamorous work begins: analysing and establishing the project’s compliance framework with legal and ethical obligations.

Usually, the primary challenge in establishing said framework lies in the reconciliation of multiple frameworks that are applicable to the project’s research activities. When examining, for instance, the European Union (EU) personal data landscape, one can easily see how digital legislations are introducing overlapping obligations, stemming from, among others, the General Data Protection Regulation (GDPR), the European Health Data Space (EHDS) Regulation, as well as the Artificial Intelligence (AI) Act, all building upon the requirements for personal data protection from different perspectives.

In MULTIPULM, a 48-month Horizon Europe project bringing integrated, digital-based care to multimorbid patients with chronic respiratory conditions (CRDs), the establishment of the compliance framework was met with another challenge: The partners are located across different jurisdictions, including the EU, the United Kingdom (UK), Brazil, Serbia, and Türkiye. With partners spanning multiple continents and legal systems, properly designing the governance is not an afterthought, but a foundation.

Why the legal landscape is more complicated than it looks

At first glance, the design of the tools and solutions, as well as the implementation of the project use cases seem like the most difficult tasks to complete. In practice, aligning on legal and regulatory requirements across jurisdictions and sectors can be equally, if not more, demanding.

Each of MULTIPULM's three pilot countries operates under its own health research legislation, data protection rules, and ethics committee structures. None of these maps fully onto the other, or onto the European Union's framework governing the consortium's EU-based partners.

Similarly, the GDPR applies to EU-based partners handling personal data, while the national legislations of Brazil, Serbia and Türkiye come into place while the data travels across jurisdictions. Determining which rules apply, to whom, and when, is not a trivial question. Add wearable devices, cloud infrastructure, and AI solutions into the mix, and the complexity multiplies.

As such, the main challenges multi-jurisdictional projects may face lie in:

1. Legal framework mapping and reconciliation: As highlighted, it is essential to diligently map legal, regulatory and ethical requirements for partners involved, focusing on establishing a comprehensive landscape of project-specific obligations. In this process, it is likely that conflicting obligations may be identified, which need to be addressed in a timely manner.
   

2. Varying ethical approval processes and timelines: Each country and organisation is subject to ad hoc ethics approval procedures which depend on the organisation’s ethics committee. The differing submission format, documentation and processing speed must be considered since the start to avoid any delays.
   

3. Contextual consent procedures: Informed consent, albeit a universal principle, can vary in terms of procedural requirements, language, community trust, as well as literacy. These elements must be well considered so as to adapt any consent templates prepared at the project and individual partners’ side.
   

4. Data sharing requirements’ alignment: Each jurisdiction has a different framework surrounding the sharing of personal data beyond its borders. While the EU has the Chapter V GDPR tools, other locations may have simpler or more complex frameworks, that also need to be aligned to ensure homogeneity and compliance with all obligations.

Tackling the challenges and lessons learnt

Rather than treating compliance as an afterthought, in practice, it needs to be embedded into the project’s operations and planning since the start. This has been MULTIPULM’s exact approach, ensuring a timely management of the requirements, which has resulted in a number of lessons that can be replicated by other projects to promote compliance:

1. Early involvement of partners in the requirement identification process: In order to ensure a compliance by design approach, it is important that all of the Consortium partners are well informed in advance of any legal implications that their activities may entail. Such a “training” process ensures that they are, then, better positioned to proactively inform the project coordination team and legal partners of any legislative or regulatory requirement to which they are subject in their jurisdiction. It also ensures that any mapping exercise is more actively reviewed and verified by the partners’ concerned.
   

2. Homogenised project Documentation and templates: At the start of the project, it is more than recommended to design and co-create with involved partners a number of templates and guidelines that can then guide partners in performing their internal compliance procedures. Such templates may include the research study protocol, informed consent forms, data-related agreements (including data processing, sharing etc.), data protection and transfer impact assessments etc.
   

3. Compliance solutions and certification: Compliance solutions available are multiplying. Compliance certification can play an important role in establishing the project’s compliance framework, either through the use of the certification methodology for formalising the compliance process, or as a further means for exploitation by contributing to certification schemes with lessons learnt. Such certifications may include a European Data Protection Seal pursuant to the GDPR, like Europrivacy , or Interprivacy for more global results.
   

4. Ongoing dialogue and cooperation: The most crucial element is the maintenance of an open communication channel between all partners, including the teams working on coordination, legal and ethics elements. In this way, any risks are addressed proactively before they turn into an issue for the project. This also ensures that compliance is constantly integrated in the project’s evolving activities, and is not treated as a one-time exercise.
   

Looking ahead

While the project is still in early stages, the work already done provides a crucial baseline for its smooth operation and completion of necessary activities, in a manner that enables the implementation of the upcoming studies.

Integrated care for people living with multiple chronic conditions is complex enough on its own. Getting the legal foundations right means that the energy of clinicians, technologists, and patients can go where it belongs: towards better health outcomes.

Want to know more about MULTIPULM's approach to governance and ethics? Visit multipulm.eu or get in touch.

References:

[1] Regulation (EU) 2016/679, General Data Protection Regulation.

[2] Regulation (EU) 2025/327, European Health Data Space Regulation.

[3] Regulation (EU) 2024/1689, Artificial Intelligence Act. 

By Vasiliki Tsiompanidou  Project Manager - MULTIPULM / Mandat International

Newsletter on LinkedIn: Subscribe & stay ahead.