This week the EU’s independent data protection authority (DPA), the European Data Protection Supervisor (EDPS), published a preliminary opinion on data protection and scientific research subject to the General Data Protection Regulation 679/2016 (GDPR) and Regulation 1725/2018 governing data protection in EU institutions (Preliminary Opinion). Regulation 1725/2018 is very similar to the GDPR’s provisions in this area, and the EDPS states that the Preliminary Opinion may be regarded as relevant to data processing under both regulations.
The Preliminary Opinion builds on the work of the European Data Protection Board (EDPB) in promoting a dialogue between DPAs, ethical review boards and organisations conducting scientific research.
EDPS acknowledges that the public interest is served by research and emphasises that the aim should be to seek a fair balance between scientific research and individual rights. Where a controller’s legal basis for processing personal data is “necessity for the performance of a task carried out in the public interest,” the EDPS states that the processing should address a “pressing social need” rather than being carried out for largely commercial gain. While the Preliminary Opinion does not elaborate, this suggests that commercial gain is not incompatible with the “public interest” legal basis in the context of scientific research, so long as the purpose of the processing is not “largely” commercial gain.
In relation to consent as a legal basis for processing, the Preliminary Opinion discusses the overlap between the informed consent of participants in clinical trials, and consent under data protection law. Interestingly, the EDPS considers that even where consent is not an appropriate legal basis under the GDPR, informed consent in the clinical trial context could serve as an “appropriate safeguard” to the rights of data subjects. The EDPS does not outline the precise conditions under which informed consent might be deemed an appropriate safeguard in the clinical trial context. However, the Preliminary Opinion does encourage the development of innovative forms of consent management, such as tiered consent, where participants are invited to select from a set of options, and dynamic consent, where participants are asked to consent to different activities over time via a digital interface. The EDPS highlights the importance of having a debate with civil liberties groups, the research community and the major tech companies to ascertain how digitisation is evolving and how loopholes in the protection of fundamental rights can be minimised.
In the Preliminary Opinion, EDPS also suggests the following areas for development:
- DPAs and ethical review boards: EDPS recommends that the DPAs work closely with ethical review boards that could support organisations in understanding what constitutes genuine research. Ethical committees would also contribute to defining the ethical standards referred to in the GDPR and ensuring that research projects are designed with data protection principles from the outset.
- Codes of conduct: EDPS encourages drawing up codes of conduct based on the GDPR requirements to increase compliance and achieve harmonisation at the EU level. Certification bodies could then accredit organisations that meet the compliance requirements.
- EU research framework programmes: EDPS supports the creation of funding for selected research projects. Research projects seeking funding from the EU would go through an ethics review process and data protection requirements would be part of this review.
While the EDPS’s focus is on EU institutions, this is an influential opinion, as it recognises the breadth of research and the types of organisations that can be involved in it as well as the link between the legal bases for processing personal data and the GDPR exemption for research. The preliminary opinion lays out the types of safeguards needed when conducting research. The Preliminary Opinion makes it clear that all scientific research involving personal data must follow the principles laid out in the GDPR. The EDPS does, however, make the point that the Preliminary Opinion is likely to be followed up with further guidelines from the EDPB, which will be responsible for clarifying issues such as consent, retention and secondary use. Keep an eye on this blog for further updates!