BRUSSELS PRIVACY HUB
Implementation of the GDPR: Scientific Research and Data Protection
Lina Jasmontaite, Brussels Privacy Hub, LSTS, VUB
On 9 December 2016, the Brussels Privacy Hub hosted a workshop on Scientific Research and Data Protection at the Institute of European Studies, the Vrije Universiteit Brussel. The workshop was part of the BPH Workshops Series on the Implementation of the GDPR, and addressed issues arising from to the processing scientific research data. It gathered 34 participants representing industry, civil society, academia, EU institutions and data protection authorities.
This workshop encouraged an open discussion on the notion of processing for scientific purposes and its framing as an element of the ‘data processing for scientific research purposes’ regulated by the General Data Protection Regulation (GDPR). To overcome shortcomings of legal fragmentation and uncertainty brought in by domestic laws implementing the Data Protection Directive, the GDPR aims at harmonizing and clarifying applicable rules on data protection in the EU, covering also the processing of personal data for scientific research purposes. Recognising that the transition period for implementing the GDPR is still ongoing, Professor Gloria Gonzalez Fuster invited participants to share their observations and concerns about the implications of the updated legal regime applicable to the processing of personal data for scientific research purposes (see, workshop hand out materials). During the moderated session the following issues were highlighted:
A broad scope to facilitate research activities: According to Recital 159, the processing of personal data for scientific research purposes ‘should be interpreted in a broad manner’ and can include ‘technological development and demonstration, fundamental research, applied research and privately funded research […] [as well as] studies conducted in the public interest in the area of public health’. In principle, the participants agreed that the legislator has deliberately provided for an ambiguous wording of ‘scientific research’ which would cover any kind of research activity. Some of the speakers suggested that interpretation of scientific research in ‘the broad manner’ may not only benefit market research (e.g., big data research applications) but also require to reconsider the meaning of science. Several participants questioned whether personal data collected without explicit methodology about a client can be deemed to be scientific. It was also pointed out that ambiguity in terminology may blur the wafer thin line between processing operations for scientific, statistical or historical purposes.
Defining a purpose: It was noted that when considering processing of personal data for scientific research, controllers still have to adhere to the core EU data protection principles and requirements, such as purpose specification and limitation. It was suggested that though the notion of scientific research may cover many different research activities, controllers remain still under the general obligation to make sure that any personal data are ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’, even if in this context further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purpose (Article 5.1 (b)). Similarly to the other processing operations, the processing of personal data for scientific research purposes should be narrowly defined in order to mitigate the risk of abusing derogations from the prohibition to collect special categories of data (sometimes referred as sensitive data, Article 9(2)) or further processing of collected data (Article 89).
Choosing a legitimate basis: ‘Scientific research purposes’ can be pursued as the primary purpose for data collection or for further processing (i.e., the secondary purpose). The latter is often coupled with historical and statistical purposes. When scientific research is the primary purpose, then controllers could in principle have a possibility to chose between several bases from the list of legitimate grounds provided in Article 6.1. According to Recital 33, consent can be considered to be a legitimate ground for the processing of personal data ‘to certain areas of scientific research’ when it is in line with ‘ethical standards’. While the notion of ‘ethical standards’ requires further clarification, the GDPR insists that individuals should be able to consent ‘only to certain areas of research or parts of research projects’. Following up on this specification, it could be suggested that Recital 33 closes the debate contesting the validity of consent in the context of scientific research. As the further processing of personal data by the controller is concerned, it is important to note that any further processing has to be subject to ‘appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject’ (Article 89.1). Those safeguards should provide for technical and organisational measures.
Restrictions of data subjects’ rights: Participants noted that according to Article 89, Union or Member State law may provide for derogations from data subject’s rights to access (Article 15), rectification (Article16), restriction of processing (Article 18), notification (Article 19), data portability (Article 20) and objection (Article 21) for processing for scientific research purposes, provided that are implemented appropriate safeguards.
Derogations trigger uncertainty: Several participants voiced concerns that the updated framework applicable to the processing of personal data in scientific research does not attain the desirable level of harmonization. As Member States can provide for different national derogations, it may be expected that data protection regimes for scientific research processing will remain more liberal in some counties than in the others. Furthermore, this would mean that in some situations where scientific research involves several EU countries, legislation in each Member State should be consulted as derogations as well as required safeguards put in place may vary per a Member State.
Urgent need for solutions: Participants noted that there is an urgent need for more detailed recommendations facilitating compliance with the updated framework legal in the context of scientific research. It was suggested that this could be done by guidance provided by data protection regulators (e.g., DPAs or the EDPB), codes of conduct, or advisory ethics committees.
To access the workshop hand out materials click here.