On 6 January 2020, the European Data Protection Supervisor (“EDPS”) published a Preliminary Opinion on data protection and scientific research for the purpose of addressing the lack of guidelines or comprehensive studies on this topic.
At the same time, the EDPS acknowledged that the Preliminary Opinion builds on and is consistent with the work of the European Data Protection Board (“EDPB”) and of the previous Article 29 Working Party. The EDPS also indicated that most of the follow-up to the Preliminary Opinion will likely come from the EDPB as well.
The research landscape today
Based on the principle that “respect for personal data is wholly compatible with responsible research”, the Preliminary Opinion provides a critical outline of the landscape of scientific research in today´s digital age, highlighting the challenges posed by:
(1) digitization and the associated unprecedented volume of personal data exchanged;
(2) the increased interconnection between academia and the commercial sector, including funding and shared resources, with a particular focus on the emerging genetic services market;
(3) behavioral experiments carried out by large tech companies (e.g. Facebook´s experiment on “emotional contagion” in 2014); and
(4) corporate secrecy as a barrier to independent research and audits by government agencies (e.g. Facebook´s access restriction to its API in 2018).
The definition of scientific research
The EDPS´s Preliminary Opinion also offers some insights in the definition of research, aiming to clarify the scope of GDPR´s special data protection regime for scientific research under Article 89. EDPS reached the preliminary conclusion that three requirements should be met in order to trigger the application of the special regime:
1- personal data are processed
2- methodological and ethical standards of the relevant sector apply (including the principles of informed consent, accountability and independent oversight)
3- the research is directed at increasing society´s collective knowledge and wellbeing, rather than serving primarily one or several private interests.
EU governance and research policy: the Clinical Trial Regulation
Another section of the Preliminary Opinion is devoted to the governance framework for research in the EU and, specifically the EU Clinical Trials Regulation (EU Reg. No 536/2014), which entered into force in June 2014, but is still not applicable until the EU clinical trial portal and database is completed (it likely will be functional by the end of 2020).
The Clinical Trial Regulation requires that the research participant should give consent and such consent should be the subject´s free and voluntary expression of his or her willingness to participate in a particular clinical trial, after having been informed of all aspects of the clinical trial that are relevant to the subject´s decision to participate.
However, it should be noted that the informed consent under the Clinical Trial Regulation is different from the consent required under GDPR as a legal basis for processing personal data. Consent under GDPR should be “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Art. 4.11 GDPR).
More information on this topic can be found in the EDPB´s Opinion n. 3/2019 concerning the Q&A on the interplay between the Clinical Trial Regulation and the GDPR.
Data protection selected issues
The Preliminary Opinion also addresses the scope of the special regime for data processing for scientific research, the full extent of which has not yet been precisely defined.
The special regime (see Article 89 GDPR) introduces a certain degree of flexibility in the controller obligations based on the presumption of compatibility of further processing for scientific research of data previously collected in other contexts, provided that appropriate safeguards are ensured. In this respect, the EDPS highlights that “this flexibility is afforded on the assumption that research occurring within a framework of ethical oversight serves, in principle, the public interest”.
In order to clarify the legal framework in which this special regime is included, it may be useful to briefly review the general provisions and associated derogations.
As a general rule, under Article 6.4 GDPR, further data processing - that is data processing for a purpose other than that for which the personal data have been initially collected – is only allowed based on (1) the subject´s consent, (2) a Union or Member State law or (3) a compatibility assessment between the purposes of the first and subsequent data processing.
Considering the importance of data re-use for scientific research, GDPR establishes a presumption of compatibility in Article 5.1.b:
further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89.1, not be considered to be incompatible with the initial purposes
In addition, with respect to scientific research, Article 89.2 GDPR provides a special regime, which allows Member States to introduce derogations from the rights referred to in GDPR Articles 15 (Right of access), 16 (Right to rectification), 18 (Right to restriction of processing) and 21 (Right to object and automated individual decision-making). These derogations are subject to the appropriate conditions and safeguards referred to in Article 89.1 GDPR, which requires that:
those safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
At the same time, the EDPS warns that such increased flexibility should not be abused so that “the essence of the right to data protection is emptied out” and in this respect points out particularly critical areas, which include data subject rights, appropriate organizational and technical measures against accidental or unlawful destruction, loss or alteration, and the supervision of an independent authority.
In particular, it might be considered abusive conduct by a research organization, which interprets those special derogation so broadly that it permits the retention of personal data for indefinite periods and denies data subjects their right to information.
EDPS recommendations
In light of the above, the EDPS recommends intensifying the dialogue between data protection authorities and ethical review boards for (1) reaching a common understanding of the scope of genuine research, (2) discussing EU codes of conduct for scientific research, (3) seeking a closer alignment between EU research programs and data protection standards and (4) starting a debate on the requirements necessary to grant researchers access to data held by private companies based on public interest.
SOME TAKEAWAYS
When a scientific research activity, including clinical trials, involves processing personal data of people within the European Union, it should be carried out in compliance with the GDPR provisions and, when applicable, other EU legal provisions. It is particularly important to pay attention to the following areas:
- data protection provisions are applicable to both initial and further data processing. Further processing for scientific research purposes is covered by a general presumption of compatibility with the initial purposes. Such presumption does not relieve the controller from putting in place appropriate safeguards;
- scientific research may benefit from a special regime provided by Article 89 GDPR, which allows some derogations on the controller´s obligation. However, the special regime still requires compliance with the principles which constitute the essence of the right to data protection;
- considering the flexibility granted to EU Member States in this field, it is also advisable to keep track of the decisions issued by national data protection authorities;
- considering the upcoming full applicability of the Clinical Trial Regulation, make sure that your clinical trials will be compliant with the new provisions;
- research organizations may simplify the procedure and decrease the responsibilities for further data processing by collecting relevant data already compliant with GDPR provisions. In 2019 Finland passed the Act on secondary use of health and social data, which allows researchers to have access to pre-collated and readily combined data, which are provided in a GDPR-compliant form. Researches also hold less responsibility for the protection of data, as they carry out their analyses in the secure user environment provided by the data permit authority.
CONCLUSION
The above serves only as a brief summary of some of the relevant data protection issues associated with scientific research falling within the scope of GDPR. For more information on any of these topics, or any other aspect of EU data protection law affecting your activities, please contact Berggren´s International Team at internationaldesk@berggren.fi. We will be pleased to assist you.
Please note that this overview is not meant as legal advice and that each specific matter should be evaluated in detail and on its own merits.