On January 6, 2020, the European Data Protection Supervisor (EDPS) issued a preliminary opinion on data protection and scientific research, in which it provided clarification on the application of data protection rules established by the General Data Protection Regulation (GDPR) and Regulation No. 2018/1725 with regard to scientific research.
In the concluding section of that opinion, the EDPS highlighted some areas for further consideration and discussion and potential measures to improve protection of personal data involved in scientific research.
An overview of the issues addressed by the EDPS is provided below.
The impact of digitization on scientific research
The EDPS provided an overview of the landscape of scientific research today. In particular, the EDPS pointed out that digitization has transformed research by allowing the exchange of a large volume of personal data (including special categories of personal data, such as data concerning health) at great speed across borders.
Moreover, the EDPS pointed out that many private companies hold gigantic databases of personal information obtained by monitoring people’s activity while they are connected to Internet and also employ researchers who conduct research in their industries. Therefore, it is increasingly difficult to distinguish between research that genuinely benefits society at large and research with private or commercial aims.
The notion of scientific research in light of the GDPR
As indicated below, the GDPR provides a special regime for scientific research, with the aim of striking a fair balance between protecting data and encouraging scientific research conducted in the public interest.
Specifically, the GDPR establishes a broad definition of research, including, for instance, technological development, applied research, and privately funded research. Moreover, a variety of different parties carry out scientific research. These include academic researchers, not-for-profit organizations, governmental institutions, and profit-seeking commercial enterprises.
According to the EDPS, the rules established by the GDPR with regard to scientific research apply if (i) personal data are processed, (ii) relevant standards of methodology and ethics apply, and (iii) research is not conducted for private interests, but exclusively for the purpose of increasing shared knowledge and improving public health.
With regard to point (ii), the EDPS recognized two essential components of ethical standards: informed consent issued by participants in any research project and independent ethical oversight conducted by an independent ethics committee to verify that the research is ethical and lawful and takes place under appropriate safeguards.
The GDPR and scientific research
The GDPR provides a special regime for scientific research that waives certain controller obligations. However, Article 89 of the GDPR requires that technical and organizational measures (e.g., rendering participants anonymous, limiting access) be adopted in order to ensure compliance with the principle of data minimization.
This includes the presumption of compatibility of processing for scientific research purposes of data previously collected for different specific, explicit, and lawful purposes in commercial, healthcare, and other contexts. Data may be reused for different purposes only if the safeguards required under Article 89 are in place. The EDPS also noted that this provision, concerning purpose specification, does not concern the lawfulness of the additional processing. Before the GDPR, this meant that once a compatibility assessment had been conducted, a controller then also was required to establish proper legal grounds for the further processing of personal data. This seems to have been superseded under Recital 50 of the GDPR, which states that if the additional purpose is compatible, there may be no need to establish specific legal grounds for the processing (basically, the purposes specification principle and the lawfulness principle have been combined.) However, the EDPS does not consider this to be a set rule; instead, it considers this a mere possibility, so regardless of the presumption of compatibility, specific lawful grounds for processing are required (and, of course, data subjects need to be informed as indicated above).
With regard to the basis for lawful processing, the EDPS identified “public interest” as a potential basis for lawful personal data processing in accordance with Article 6(1)(e) of the GDPR, while the processing of special categories of data may be carried out for “substantial public interest” (Article 9(2)(g) of GDPR) or specifically for scientific research (Article 9(2)(j) of GDPR) on the basis of EU and member states’ laws, provided that appropriate and specific measures to safeguard the fundamental rights of data subjects are adopted.
However, according to the EDPS, currently it is difficult to establish “substantial public interest” as lawful grounds for scientific research purposes, since the EU and member states have not as yet adopted specific laws on this matter.
Moreover, under Article 9(4) of the GDPR, member states may implement further limitations (namely, by limiting certain data subjects’ rights) with regard to processing genetic, biometric, and health data. However, the EDPS specifies that the flexibility granted to member states shall not be interpreted in a way that could undermine the essence of the right to data protection. For instance, a research organization cannot retain personal data for indefinite periods or deny data subjects the right to information.
Finally, the EDPS underlined the key role of the principle of accountability, under which controllers shall assess the risks connected to data processing and take appropriate measures to safeguard data subjects.
Consent of data subject as legal basis for data processing for research purposes
Explicit consent may be used as legal grounds for the processing of special categories of data for research purposes (Article 9(2)(a)). However, in cases in which consent is not appropriate as a legal basis, the other lawful grounds described above (Articles 6 and 9 of GDPR) are applicable. Consent for the processing of personal data is different from the informed consent that must be obtained from human participants in research.
Under the GDPR, consent shall have the following characteristics:
- Freely-given: Consent shall be the result of a genuine choice. Therefore, consent issued in a clear state of imbalance between the data subject and the controller is not valid.
- Specific, informed, and unambiguous: For instance, consent provided in a form or via a series of pre-ticked boxes is not valid.
- Explicit: However, special categories of data may be processed when data subjects have made their data public.
The EDPS suggested deepening the dialogue between the scientific research community and data protection authorities at a European level. To this end, the authority provided some suggestions for further areas of discussion and debate:
- Data protection authorities and data protection officers should intensify their collaboration with independent ethical committees. Indeed, such committees could assist in identifying genuine scientific research and define ethical standards under the GDPR.
- Adoption of codes of conduct at the EU level and certifications issued by accredited certification bodies to controllers or processors, with a maximum validity of three years. Such certifications should prove the compliance of processing operations with the GDPR.
- Researchers should request guidelines from data protection experts and authorities in order to develop research projects in compliance with the GDPR in an effort to target European research funding.
- EU and member states should identify an appropriate public interest basis under data protection law in order to allow companies to disclose data to researchers clearly in compliance with the GDPR. Moreover, EU and member state rules should set forth a proportionality test and adequate safeguards against unlawful access. In general, discussion involving civil liberties groups, research communities, and major tech companies should be pursued.