Medical research: Prior consultation with the Data Protection Authority is no longer required
The Italian version of this article has been published on June 11, 2024 on AboutPharma.com, within our bi-monthly column “Digital impact in Life Sciences: Legal Corner”.
Medical research is one of the areas most affected by rapid technological development and increased use of artificial intelligence (AI) systems.
The possibility of reusing (personal and health) data collected for medical research purposes in compliance with data protection regulations has been the subject of extensive debate over the past few years.
This scenario also underlies the latest national and European legislative initiatives, such as the European Health Data Space and recent changes to the Electronic Health Record.
Companies, individuals, and researchers have pointed out that limitations imposed by recent legislation have severely restricted the field of medical research. This is especially true for observational studies, which are the basis of many advances in the scientific field.
But clearly there is a significant need to protect personal data and comply with existing legislation to safeguard individuals who participate in those studies.
Medical research under Italian Data Protection Code
This debate led to an important legislative change introduced by the PNRR Decree, which modified the Privacy Code’s regime for medical, biomedical, and epidemiological research.
Law No. 56 of April 29, 2024 amended Article 110 of the Privacy Code.[1] This article provides for an exception to the consent for processing health-related data for the purpose of scientific research in the medical, biomedical, and epidemiological fields when the research is carried out on the basis of legal or regulatory provisions or on the basis of European Union law and when an impact assessment is conducted and made public (in the Italian medical research sphere, such cases are few and far between).
Article 110 also states that consent is not required when, for special reasons, informing data subjects is impossible or involves disproportionate effort, or when doing so would make it impossible to achieve the research purposes or seriously jeopardize the chance of doing so, as long as appropriate measures are taken to protect the rights, freedoms, and legitimate interests of the data subjects.
The previous version and the legislative changes introduced by the PNRR Decree
Prior to the recent amendment, in such cases the data controller was required to take appropriate measures to protect the rights, freedoms, and legitimate interests of the subjects involved; the research program had to receive a favorable opinion from the appropriate ethics committee at the territorial level; and prior consultation with the Data Protection Authority was required.[2]
The April 2024 amendment modified the last requirement, which had always been criticized. When prior consultation with the Data Protection Authority was mandatory, observational studies had to follow a long and complex process. Indeed, in recent years the Data Protection Authority often took several years to issue decisions on prior consultation proceedings under Article 110.
Duty to observe the Data Protection Authority’s guarantees
The new version of Article 110 no longer contains the obligation of prior consultation, but it does contain the obligation to observe safeguards identified by the Data Protection Authority.[3]
Naturally, the Data Protection Authority is expected to identify these safeguard measures more clearly. Also, there are existing deontological rules that apply to processing for statistical and scientific research purposes.[4] As the Data Protection Authority stated, these are definitely to be applied in these cases.
Indeed, the Data Protection Authority has confirmed that the existing deontological rules are to be applied pending the approval of new rules and the establishment of additional safeguards.[5]
Data Protection Authority logic
The Data Protection Authority has set forth ethical and organizational bases to allow the data of deceased or uncontactable individuals to be processed.
The ethical basis is that consent cannot be sought from the data subject because the data subject is unaware of their condition and learning about it could cause them material or psychological harm.
The organizational basis is that contacting a data subject would involve disproportionate effort; once every reasonable effort to contact a data subject has been made (and documented), they are presumed to be deceased or otherwise untraceable.
The Data Protection Authority requires these bases to be reported in detail in the research plan.
DPIA required
The Data Protection Authority confirms that in such circumstances the data controller must conduct and publish a data protection impact assessment (DPIA).[6]
It is worth looking at this issue in depth. The revised Article 110 does not require a DPIA, in line with the GDPR accountability principle and with the fact that the DPIA obligation is provided in specific cases under Article 35 or by a specific procedure (consistency mechanism) for certain cross-border processing.
The Data Protection Authority seems to assume that even with the obligation for prior consultation eliminated, an impact assessment must still be carried out under Article 35 GDPR. However, an argument could be made that even in cases of medical research under the scope of the revised Article 110 Privacy Code, it is up to the owner to assess necessity.
The requirement to conduct an impact assessment is certainly in keeping with the requirements of the first part of Article 110, which calls for an impact assessment to be conducted and published for state-funded research.
Publication of the DPIA
In any case, once an impact assessment under Article 110 has been carried out, it will be up to the data controller to consider whether to resort to prior consultation with the supervisor under Article 36 GDPR when high risks cannot be mitigated.
Finally, there is the question of whether publication of the entire impact assessment is truly necessary. These assessments are long, complex, and highly technical documents.
The requirement to publish the DPIA does not seem designed to foster greater transparency for the interested parties (at least in the case of patients who have died and are included in observational studies). Indeed, patients do not always have the desire or the ability to read these complex documents. Instead, the requirement seems to be intended to make it easier for the Data Protection Authority to perform inspections (on the basis of third-party reports or ex officio).
The Data Protection Authority recently published a FAQ on processing personal data collected for further research purposes by a specific category of entities (Institutes of Hospitalization and Treatment with Scientific Character, “IRCSS”).
In the FAQ, the Data Protection Authority explains that research activities carried out by IRCSS may be categorized as biomedical research conducted under the law and, therefore, prior consent of data subjects is not required, though a DPIA must be conducted and made public.
The Data Protection Authority further explains that when publication of the entire DPIA may infringe intellectual property rights, trade secrets, or similar rights, the data controller may release only excerpts from it.
While it could be argued that this possibility was not expressly provided by the Data Protection Authority in its May 2024 order on existing ethics rules, it could also be argued that it would be unreasonable to limit protection of intellectual property and commercial information solely to research activities conducted by IRCSS.
Therefore, even when non-IRCSS entities conduct research under Article 110, it would be reasonable to argue that only excerpts from the impact assessment can be published.
New ethics rules
The Data Protection Authority announced the adoption of new deontological rules and invited those who have an interest in signing them (and those who have a qualified interest in their adoption), in accordance with the principle of representativeness, to notify the Data Protection Authority within 60 days of publication of the same provision.[7]
Adoption of the deontological rules will take time and involve several stakeholders: hopefully the new guarantees will enhance the principle of accountability and take into account the actual risks in the medical research sector—a sector essential to the nation’s social and economic development.
[1] Converting Decree-Law No. 19 of March 12, 2024.
[2] Pursuant to Section 36 of the regulation.
[3] Under Articles 2-quater and 106 of the Privacy Code.
[4] Adopted in Order No. 515 of December 19, 2018.
[5] In Order No. 298 of May 9, 2024.
[6] Pursuant to Article 35 of the GDPR.
[7] In the same provision dated May 9, 2024.
