The European Data Protection Board (EDPB) released a document earlier this year in response to a request by the European Commission for clarifications on the application of the GDPR in the area of scientific health research, which you can read here. However, it’s important to note that the EDPB are currently preparing guidelines on the processing of personal data for scientific research purposes, which are set to be released later this year, which will include further elaborations.
Legal basis for processing of health-related data for scientific research purposes
The European Commission posed a question to the EDPB concerning the appropriate legal bases to rely on when personal data is processed for scientific research purposes. The European Commission was particularly interested in understanding two main issues: the interaction of the GDPR legal bases with the requirement to obtain consent for clinical trials, and whether, given the requirement for certain legal basis to have a foundation in Member State or EU law, whether multiple legal bases could be relied upon by one controller for a single research project conducted across several Member States.
The EDPB’s response states that ethical standards which require informed consent for participation in scientific research can and must be differentiated from explicit consent for processing special categories of personal data. It clarifies that they are different concepts and that consent to conduct the clinical trial is not the same (and should not be held to the same standard) as consent for processing special categories of personal data.
Moreover, with regards to legal bases for scientific research, the EDPB noted that when conducting a scientific research project in multiple Member States, they endorsed the use of the same legal basis across all Member States for processing personal data (including special category personal data) associated with the project. But they recognised that, due to the requirement for an underlying Member State or EU law in relation to some of the legal bases (e.g. legal obligation (art.6(1)(c)), reasons of public interest in the area of public health (art.9(2)(i)) and scientific research (art.9(2)(j)), this may not always be possible and a heterogeneous legal bases may be more appropriate.
Further processing of previously collected health data
The EDPB also outlined the possibility of processing previously collected health data for scientific research purposes, by relying on the presumption of compatible use with the original purpose. For example, this may mean that controllers may rely on an individual’s original consent for future research without having to define the research so long as the purposes of their research match with the purposes of the original data processing (for which the consent was obtained). However, on this point, the EDPB stated that specific guidance would be provided in its upcoming guidelines. Until such time, we know from previously issued guidance that further processing of previously collected health data in a future scientific research project:
- Requires that personal data must be processed with adequate safeguards such as pseudonymisation (Article 89(1) GDPR); and
- If the Article 9 exemption is relied upon for the original purpose of processing but ends up not applying to the processing of personal data for scientific research purposes, the researcher must rely on a different Article 9 exemption.
The European Commission asked the EDPB if the concept of ‘broad consent’ could apply to the processing of special categories of personal data for scientific research purposes. While the term, ‘broad consent’ does not appear in the GDPR, the EDPB takes its understanding from Recital 33. Recital 33 states that where the purpose of processing data for scientific research cannot be specified precisely when the data is collected, it should be possible to obtain valid consent from the affected data subjects in general terms, thus allowing for greater flexibility. However, the EDPB stressed that it would need to look at this concept in more detail but it did state that adequate safeguards must be taken to ensure transparency in the processing during the research project and to ensure specific requirements for consent are met as soon as practically possible.
The EDPB also notes that Recital 33 should not be used as an exception or as a workaround for the principle that the purpose of processing must be stated in a clear manner and should be as detailed as possible. Therefore, they confirm ‘broad consent’ cannot be asked for and relied on for processing health data for ‘any kind of – unspecified – future research purposes’.
Transparency of data processing: Information to be provided to the data subject
The GDPR requires controllers to inform the data subjects about the processing of their personal data, as part of its transparency obligations. Article 14(5)(b) GDPR does however provide an exemption of this requirement, if it proves impossible or requires disproportionate efforts to inform data subjects of the further processing of their personal data for research purposes.
The EDPB has clarified that this exemption does not apply where the controller originally collected the data directly from the data subject because controllers must take appropriate measures at the point of data collection to ensure they can meet any further information requirements if there is further processing for research purposes.
Anonymisation, pseudonymisation and other safeguards under Article 89(1) GDPR
EDPB expressed concerns about the difficultly in achieving (and continuing to achieve) the anonymization of personal data by applying various anonymization techniques. The basis of this concern is due to the ongoing advancements in available technology. The EDPB also points out that the possibility to anonymise genetic data remains an unsolved issue.
The EDPB also recognised the need to provide further clarification on what ‘appropriate safeguards’ may be in the context of data processing for scientific research purposes under article 89(1), as they recognise there is a lack of guidance on this matter.
While the EDPB’s response is a good starting point to get some much-needed clarification on various issues surrounding the application of the GDPR, controllers and processors must now await the upcoming EDPB guidelines on the processing of personal data for scientific research purposes, which will hopefully clarify some of the uncertainties that remain. As ever, we will keep our eyes open for this guidance and blog about our thoughts on it shortly after it is published.