Out-Law News 4 min. read
30 Jan 2020, 3:19 pm
The European data protection supervisor (EDPS) said it is willing to bring civil liberties groups, the research community and major tech companies together to debate the topic.
The EDPS called for "the beginning of a debate on the circumstances in which access by researchers to data held by private companies can be based on public interest" in a new opinion it has issued on data protection and scientific research.
In the opinion, the EDPS said that researchers have expressed concern that a "few powerful private companies" control access to the data generated in today's digital world, and that researchers that operate "within ethical governance frameworks" should be able to access necessary data where there is a legal basis and the access is "subject to the principle of proportionality and appropriate safeguards".
However, the EDPS said this data sharing with researchers is "not happening" currently despite there appearing to be "little obstacle" to such sharing. It said that this has promoted "recent calls for regulated access across the EU to privately-held personal data for research purposes that serve a public interest, such as improving healthcare provision and addressing the climate crisis". Such a move should be considered more closely, it said.
"A public interest basis under data protection law for dominant companies to disclose data to researchers would need to be clearly formulated and laid down in EU or member state law, as well as being accompanied by a rigorous proportionality test and appropriate safeguards against misuse and unlawful access," the EDPS said in its opinion. "The EDPS can help facilitate a debate on this matter with civil liberties groups, the research community and the major tech companies."
Madrid-based data protection law expert Paula Fernández-Longoria of Pinsent Masons, the law firm behind Out-Law, said that Article 89 of the General Data Protection Regulation (GDPR) provides individual EU member states with some scope to draw up lighter touch data protection rules applicable to scientific research.
"As the EDPS highlighted, digitisation has transformed research and blurred the lines between private sector research and traditional academic research more than ever," Fernández-Longoria said. "It is therefore welcome that the EDPS has concluded that private research can be included within the scope of the special regime under Article 89."
According to the opinion, the special regime for scientific research is applicable if the following three criteria are met: personal data are processed, relevant sectoral standards of methodology and ethics apply, and the research is carried out with the aim of growing society’s collective knowledge and wellbeing.
There are a number of different areas of 'scientific research' which fall within the special data protection regime, according to the EDPS. This, it said, includes medical research.
"In this regard, the EDPB explained that special categories of personal data, such as health data, are subject to greater safeguards under the GDPR, with more restrictions placed on how such data can be processed," Fernández-Longoria said. "One basis for processing the data is if data subjects provide their explicit consent."
"The EDPS said that there is a clear overlap between the concept of 'informed consent' on human participation in research and the concept of consent under data protection law, but it stressed that viewing both consents as a single and indivisible requirement would be simplistic and misleading. It said that if consent is not an adequate legal basis to process sensitive data then informed consent may serve as an appropriate safeguard, but called for further discussion between research and data protection expert on the notion of consent in the two areas," she said.
The EDPS also explained that the GDPR permits special category personal data to be processed for reasons of public interest on the basis of EU or member state law. However, it said "such laws have yet to be adopted" and that it is "therefore difficult at present, if not impossible, to view a ‘substantial public interest’ as a basis for processing sensitive data for scientific research purposes".
The EDPS also addressed the interaction between the processing of personal data for scientific research and the accountability principle under the GDPR. That principle demands that organisations processing personal data take responsibility for the processing that takes place and has measures in place and maintains records to demonstrate compliance.
The standards of accountability organisations engaged in scientific research projects must meet should reflect the fact that the processing and sharing of data under those projects "would reasonably be considered a high-risk data processing activity" under the GDPR, the EDPS said. However, it said data protection law is "not an obstacle to" the "proportionate disclosure of information to researchers, where there is a valid legal basis and appropriate safeguards depending on the risk". One such safeguard would be where researchers are signed up to "professional ethical standards", it said.
In its paper, the EDPS acknowledged the need for dialogue between the scientific research community and data protection authorities due to "discrepancies" across EU countries, "misunderstanding" about the GDPR, and "concentration of potentially valuable social research data in a few private companies".
The watchdog also recommended that data protection authorities and data protection officers increasingly engage with ethical questions in the development of digital technologies, and it encouraged the development of new EU codes of conduct and certifications for research purposes. There is a framework for the development of such codes and certification regimes under the GDPR.
"It is positive that the EDPS recognises discrepancies across member states in relation to the processing of personal data in the context of scientific research and the existence of misunderstanding about the GDPR," Fernández-Longoria said. "Researchers processing personal data of EU residents should have a clear idea of the conditions upon which the research may be carried out and how the personal data involved can attain adequate protection while ensuring the research is not at risk."
"The desire to explore how to enable access to data held by a few private companies further highlights that the interaction between competition and data protection is an increasingly hot topic," she said.