New Guidance Published Addressing Scientific Research and the GDPR
A recent opinion from the European Data Protection Supervisor (EDPS) on data protection and scientific research builds on an opinion from January 2019 from the European Data Protection Board on the GDPR and clinical trials. The Opinion from the EDPS should be taken into account by life sciences companies in their ongoing assessment of how to apply the GDPR to scientific research both in clinical trials and more broadly.
The EDPS – an independent supervisory authority whose primary objective is to ensure that European institutions and bodies respect the right to privacy and data protection – recently published a preliminary opinion on data protection and scientific research (the Opinion). The EDPS acknowledges the critical importance of scientific research but states that “data protection obligations should not be misappropriated as a means […] to escape transparency and accountability.” In particular, according to the EDPS, compliance with data protection laws is “wholly compatible” with responsible scientific research. However, the EDPS recommends intensifying dialogue between data protection authorities (DPAs) and ethical review boards for a common understanding of which activities amount to genuine research and expects further guidance to be published by the European Data Protection Board – an independent European body, composed of representatives of the national DPAs and the EDPS.
Some of the key takeaways from the Opinion include:
- The Key Players: The Opinion describes the shift in the landscape of scientific research i.e., away from academia towards the commercial sector. Importantly, this shift includes companies not previously in the life sciences industry e.g., big data analytics firms and social media companies whose business models result in the accumulation of vast quantities of data.
- The 3 Criteria: The EDPS adopts the definition for scientific research previously adopted by the former Article 29 Working Party in its Guidance on Consent under the GDPR. The EDPS asserts that for research to meet this definition the following three criteria must be met: (i) the processing of personal data; (ii) the scientific research must be carried out within an established ethical framework which includes the notion of informed consent, accountability and oversight; and (iii) the scientific research must be carried out with the aim of growing society’s collective knowledge and wellbeing,e., as opposed to research which primarily serves private interests).
- Wider Governance Framework: The Opinion provides an overview of the wider governance framework for scientific research in the EU. This includes an overview of the requirements around consent in the context of clinical trials – a topic which has recently been addressed by the EDPB in the context of the GDPR and the Clinical Trials Regulation.
- Scientific Research under the GDPR: Compliance with the data protection principles in Article 5 of the GDPR is required when processing personal data (including, in the context of scientific research). This includes the “purpose limitation” principle in Article 5(1)(b) (i.e., that personal data should only be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes) and the storage limitation principle in Article 5(1)(e) (i.e., that personal data should not be kept in a form permitting the identification of a data subject for any longer than is necessary for the purpose of the processing). However, if the processing falls within the definition of scientific research and appropriate safeguards have been implemented pursuant to Article 89(1) of the GDPR, then further processing for scientific research will not be considered incompatible with the initial purpose and the personal data may be stored for longer periods. Article 89(1) of the GDPR requires that appropriate safeguards which ensure technical and organisational measures are in place in particular, to comply with the principle of data minimisation (including, where possible pseudonymisation). Where it is possible to use anonymous data for the scientific research, anonymous data should be used. The Opinion acknowledges this flexibility under Article 89 of the GDPR but stresses that this cannot be “applied in such a way that the essence of the right to data protection is emptied out” and that in order to take advantage of the exemption, a compatibility assessment should be carried out (i.e., as required under Article 6(4) of the GDPR).
- Legal Basis for Processing: The Opinion outlines the various requirements for valid consent under the GDPR and reiterates that the concept of consent under the GDPR is distinct from that in clinical trials. The EDPS comments that further discussion is required between the research community and data protection experts on the role of consent in the area of scientific research in the digital age. The EDPS also comments on the public interest legal basis and the substantial public interest condition (where processing special categories of personal data). The EDPS is of the view that reliance on the substantial public interest condition for scientific research is at present impossible because reliance on this condition requires a basis in EU or Member State law for which none have currently been adopted. Interestingly, the EDPS does not comment on whether legitimate interest can be relied on as a legal basis.