Medical research: Advance consultation with Data Protection Authority no longer required

Medical research is one of the sectors most affected by rapid technological development and the increasing use of artificial intelligence systems.

The possibility of reusing (personal and health) data collected for medical research purposes in an efficient way, while respecting data protection legislation, has been widely discussed in recent years. It is also a core element in recent Italian and European legislative initiatives, including the European Health Data Space and the recent changes to the Italian Electronic Health Record legislation. On the one hand, companies, individuals, and researchers have pointed out that legislation has severely restricted the field of medical research in recent years. The impact has been especially significant on observational studies, which are the basis for much scientific progress. On the other hand, the importance of protecting personal data and complying with existing legislation to protect trial participants cannot be underestimated.

Legislative changes introduced by the NRRP Decree

This ongoing debate led to an important legislative change introduced with the NRRP Decree, which amended the regime provided by the Privacy Code in the field of medical, biomedical, and epidemiological research.

Specifically, Law No. 56 of April 29, 2024, which converted Decree Law No 19 of March 12, 2024, amended Article 110 of the Privacy Code under which it is excluded the need to obtain consent for the processing of data concerning health for the purposes of scientific research in the medical, biomedical, and epidemiological fields, if the research is performed on the basis of legislative or regulatory provisions or European Union law and an impact assessment is carried out and published (a hypothetical case in the Italian medical research context).

Article 110 also establishes that consent is not required when, for specified reasons, informing the data subject would be impossible or would require disproportionate effort or would make it impossible to achieve the research objectives or seriously jeopardize their achievement, provided that appropriate measures are taken to protect the rights, freedoms, and legitimate interests of the data subject.

Previous version

The wording in place prior to the recent amendment required the data controller to take appropriate measures to protect the rights, freedoms, and legitimate interests of data subjects; required the research plan to receive approval with grounds from the appropriate Ethics Committee at the territorial level; and required the data controller to consult with the Italian Data Protection Authority in advance pursuant to Article 36 of the Regulation.

The amended version altered that last requirement, which was frequently criticized. Mandatory consultation with the Data Protection Authority forced observational studies down a long and winding path. In recent years the Data Protection Authority has issued multiple rulings on advance consultation procedures under Article 110. Typically, it would take the Garante (and, as such, data controllers) several years to complete those procedures.

Obligation to observe Data Protection Authority guarantees

The amended Article 110 no longer contains the obligation to consult the authority in advance, but it does require parties to comply with the guarantees established by the Data Protection Authority.^[1] Therefore, the Data Protection Authority will provide a clearer outline of said guarantees. Deontological rules for processing for statistical or scientific research purposes already exist, as they were adopted via Resolution No. 515 of December 19, 2018, do apply.

In fact, with Resolution n298 of May 9, 2024, the authority clarified that the extant ethical rules apply pending approval of new rules and identified some additional guarantees.

Motivations of the Data Protection Authority

The Data Protection Authority explained the ethical and organizational basis for processing the data of deceased or unavailable subjects. Ethical reasons apply when it is impossible to obtain the data subject’s consent because the data subject is unaware of their condition and the knowledge of it could cause material or psychological harm. Organizational reasons apply when it is impossible to contact data subjects and obtain their consent, meaning that either contacting the data subjects would require disproportionate effort, all reasonable efforts to contact the data subjects have been made (and documented), or the data subjects are dead or otherwise untraceable; the authority calls these “residual” reasons. The research reporting must indicate these circumstances in detail.

DPIA needed

Furthermore, the Data Protection Authority states that in such cases, the data controller must carry out and publish an impact assessment (DPIA) in accordance with the GDPR.^[2]

A few notes on this last provision: The amended Article 110 does not mention the need to perform a DPIA, in line with the accountability principle of the GDPR and the fact that the obligation to carry out a DPIA is provided in specific cases under Article 35 itself or by a specific procedure (consistency mechanism) for certain types of cross-border processing operations. Instead, the authority seems to assume that while the advance consultation obligation no longer applies, an impact assessment must still be performed pursuant to Article 35 GDPR. However, one could theorize that, even in the case of medical research falling under the scope of the amended Article 110 Privacy Code, it is up to the data controller to assess that need. The requirement to carry out an impact assessment is certainly consistent with the requirements in the first part of Article 110, which calls for an impact assessment for publicly funded research and requires that it be published.

Publication of DPIA

In any case, once an impact assessment has been carried out, in accordance with Article 110 the data controller must determine whether high risks cannot be mitigated and therefore consult with the Data Protection Authority in advance in accordance with Article 36 of the GDPR.

Finally, it’s logical to wonder whether it is really necessary to publish the entire impact assessment. An impact assessment is a long, complex, and highly technical document. The requirement to publish an impact assessment does not seem to be designed to increase transparency for interested parties (certainly not in the case of deceased patients included in observational studies), many of whom do not care to read such a complex document and are not capable of parsing its meaning if they do. Instead, it seems to be designed to facilitate verification that the authority may carry out (on the basis of a third-party report or ex officio).

In this regard, more recently, the Garante has published Frequently Asked Questions on the processing of personal data collected for health care purposes for further research purposes by a specific category of hospitals (IRCSS). In the FAQ the Garante has clarified that the research carried out by IRCSS might fall within the case of biomedical research conducted in accordance with Italian law and, as such, data subjects’ consent is not required and a DPIA needs to be conducted and published. In this regard, the Garante has clarified that, when the publication of the entire DPIA might violate intellectual property rights, commercial secrets or others, the controller might publish excerpts of the same. While it could be argued that the Garante has not stated this clearly in the clarifications to the deontological rules in May, it could be also argued that it would be hard to find a rationale for the protection of intellectual property and business information only in case of research conducted by IRCSS. As such, it would be reasonable to deem that – even in case of medical research falling within the scope of Article 110 and carried out by entities different from IRCSS – the publication of excerpts of the DPIA instead of its entirety would be compliant with the law.

New deontological rules

In the same measure dated May 9, 2024, the Data Protection Authority announced adoption of new ethical rules and invited those interested in signing them (and those with a qualified interest in their adoption), in accordance with the principle of representation, to inform the authority within 60 days of publication of the measure.

Hopefully, the new guarantees will strengthen the principle of responsibility while accounting for the real risks in the medical research sector, which is essential to the nation’s social and economic development.

[1] Pursuant to Articles 2-quater and 106 of the Privacy Code.

[2] Article 35.