Jan 202020

New Guidance Published Addressing Scientific Research and the GDPR

William RM Long, Francesca Blythe and Josefine Sommer
, , , ,

A recent opinion from the European Data Protection Supervisor (EDPS) on data protection and scientific research builds on an opinion from January 2019 from the European Data Protection Board on the GDPR and clinical trials. The Opinion from the EDPS should be taken into account by life sciences companies in their ongoing assessment of how to apply the GDPR to scientific research both in clinical trials and more broadly.

The EDPS – an independent supervisory authority whose primary objective is to ensure that European institutions and bodies respect the right to privacy and data protection – recently published a preliminary opinion on data protection and scientific research (the Opinion). The EDPS acknowledges the critical importance of scientific research but states that “data protection obligations should not be misappropriated as a means […] to escape transparency and accountability.”  In particular, according to the EDPS, compliance with data protection laws is “wholly compatible” with responsible scientific research. However, the EDPS recommends intensifying dialogue between data protection authorities (DPAs) and ethical review boards for a common understanding of which activities amount to genuine research and expects further guidance to be published by the European Data Protection Board – an independent European body, composed of representatives of the national DPAs and the EDPS.

Some of the key takeaways from the Opinion include:

  • The Key Players: The Opinion describes the shift in the landscape of scientific research i.e., away from academia towards the commercial sector. Importantly, this shift includes companies not previously in the life sciences industry e.g., big data analytics firms and social media companies whose business models result in the accumulation of vast quantities of data.
  • The 3 Criteria: The EDPS adopts the definition for scientific research previously adopted by the former Article 29 Working Party in its Guidance on Consent under the GDPR. The EDPS asserts that for research to meet this definition the following three criteria must be met: (i) the processing of personal data; (ii) the scientific research must be carried out within an established ethical framework which includes the notion of informed consent, accountability and oversight; and (iii) the scientific research must be carried out with the aim of growing society’s collective knowledge and wellbeing,e., as opposed to research which primarily serves private interests).
  • Wider Governance Framework: The Opinion provides an overview of the wider governance framework for scientific research in the EU. This includes an overview of the requirements around consent in the context of clinical trials – a topic which has recently been addressed by the EDPB in the context of the GDPR and the Clinical Trials Regulation.
  • Scientific Research under the GDPR: Compliance with the data protection principles in Article 5 of the GDPR is required when processing personal data (including, in the context of scientific research). This includes the “purpose limitation” principle in Article 5(1)(b) (i.e., that personal data should only be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes) and the storage limitation principle in Article 5(1)(e) (i.e., that personal data should not be kept in a form permitting the identification of a data subject for any longer than is necessary for the purpose of the processing). However, if the processing falls within the definition of scientific research and appropriate safeguards have been implemented pursuant to Article 89(1) of the GDPR, then further processing for scientific research will not be considered incompatible with the initial purpose and the personal data may be stored for longer periods. Article 89(1) of the GDPR requires that appropriate safeguards which ensure technical and organisational measures are in place in particular, to comply with the principle of data minimisation (including, where possible pseudonymisation). Where it is possible to use anonymous data for the scientific research, anonymous data should be used. The Opinion acknowledges this flexibility under Article 89 of the GDPR but stresses that this cannot be “applied in such a way that the essence of the right to data protection is emptied out” and that in order to take advantage of the exemption, a compatibility assessment should be carried out (i.e., as required under Article 6(4) of the GDPR).
  • Legal Basis for Processing: The Opinion outlines the various requirements for valid consent under the GDPR and reiterates that the concept of consent under the GDPR is distinct from that in clinical trials. The EDPS comments that further discussion is required between the research community and data protection experts on the role of consent in the area of scientific research in the digital age. The EDPS also comments on the public interest legal basis and the substantial public interest condition (where processing special categories of personal data). The EDPS is of the view that reliance on the substantial public interest condition for scientific research is at present impossible because reliance on this condition requires a basis in EU or Member State law for which none have currently been adopted. Interestingly, the EDPS does not comment on whether legitimate interest can be relied on as a legal basis.
William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Josefine Sommer

Brussels

jsommer@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.