European Data Protection Supervisor Issues Opinion on Conducting Research Involving European Personal Data

On January 6, 2020, the European Data Protection Supervisor (EDPS), the independent European Union (EU) authority responsible for data protection regulatory oversight, issued a preliminary opinion on data protection and scientific research (the Opinion). The Opinion provides helpful guidance regarding how organisations may conduct clinical and other scientific research in accordance with the special regime for research under the EU General Data Protection Regulation (GDPR).

The Opinion elaborates on the greater flexibility that the GDPR provides for the processing of personal data for clinical and other research that furthers the public good. The Opinion, however, also cautions that research organisations must employ appropriate safeguards to protect research participants’ privacy and other rights. Such safeguards include, for example, compliance with ethical standards for research that typically require oversight by a research ethics committee, and informed consent (Informed Consent) by research participants (or approval of a waiver of the Informed Consent requirement by the ethics committee as applicable law permits) even if consent is not the legal basis for processing personal data under the GDPR or other data protection laws (Privacy Consent). As a result, the Opinion more closely aligns the approach for the regulation of research in the US under the Federal Policy for the Protection of Human Subjects (the Common Rule) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), on the one hand, with the approach in Europe under the GDPR and other EU and Members State laws, on the other.

Interestingly, the Opinion states that for-profit commercial entities can engage in scientific research, but suggests that in this context, the GDPR framework applies only where the research is conducted with the aim of growing society’s collective knowledge and well-being, rather than to serve primarily private interests. The Opinion also raises a number of questions about how to regard data access restrictions imposed due to intellectual property, competition, or other business interests in the context of considering what properly constitutes scientific research.

This On the Subject will cover the following aspects of the Opinion:

• Definition of Research for Purposes of the GDPR
• GDPR Principles and Special Data Protection Regime for Research
• Legal Bases for Research
• Transparency Requirements
• Derogations to Data Subject Rights
• Purpose Limitation and Presumption of Compatibility
• Our Suggested Recommendations for Compliance with the Opinion

How Does the GDPR Define Research?

The GDPR adopts a broad conception of research in GDPR Recital 159, which includes “technological development, fundamental and applied research and privately funded research” and “studies conducted in the public interest in the area of public health.” This broad interpretation is reinforced by Recital 157 of the GDPR, which recognises that useful scientific data can be collected from data registries (e.g., hospital registries for research into widespread medical conditions and social security registries for socio-economic research).

The EDPS concludes in the Opinion that “not only academic researchers but also not-for-profit organisations, governmental institutions or profit seeking commercial companies can carry out scientific research.” While the EDPS recognises that commercial research can constitute scientific research (that benefits from the GDPR’s special regime for research), the EDPS emphasises that scientific research is carried out with the aim of society’s collective knowledge, rather than to primarily serve private interests or commercial ends.

The EDPS also notes that the special regime for research “reflects a clear intention to adapt data protection rules to the specific circumstances and public interests served by research activities.” Accordingly, the Opinion clarifies the EDPS’s position that the regime should apply only if the research meets the following criteria:

• Personal data is processed;

• Relevant sectoral standards of methodology and ethics apply, including the notion of Informed Consent, accountability and oversight; and

• The research is carried out with the aim of growing society’s collective knowledge and well-being, as opposed to serving primarily private interests.

Consequently, the Opinion conflates data ownership, ethics and competition law with data protection compliance in a manner that adds additional complexity and confusion for the research community. Based on the Opinion, entities engaged in activities that are designed primarily to serve private interest or commercial ends should carefully consider whether such activities would constitute scientific research under the GDPR.

GDPR Principles and Special Data Protection Regime for Research

The GDPR provides a baseline framework for protecting personal data. This framework is centered on the following data protection principles:

• Lawfulness, Fairness and Transparency: Processing personal data lawfully, fairly, and in a transparent manner;
• Purpose Limitation: Processing personal data for specific, explicit and legitimate purposes and in an appropriate way;
• Data Minimisation: Ensuring that personal data is adequate, relevant and limited to what is necessary for the purpose;
• Accuracy: Ensuring that personal data is accurate and, where necessary, kept up to date and accurate;
• Storage Limitation: Ensuring that personal data are not kept longer than necessary for the purposes for which the personal data are processed;
• Integrity and Confidentiality: Ensuring that personal data is held securely; and
• Accountability: Taking responsibility for and demonstrating compliance with the GDPR.

Legal Bases for Research

To meet the GDPR lawfulness principle, a data controller or processor must have a legal basis for processing personal data. Legitimate interests and Privacy Consent are the two most frequently used legal bases under Article 6 of the GDPR for scientific research involving personal data that is not health data or another special category of personal data. We discuss the EDPS’s comments on use of Privacy Consent as a legal basis for scientific research below.

For scientific research involving health data or other special categories of personal data, the most common legal bases are:

• With an explicit Privacy Consent; and
• Without a Privacy Consent where processing is necessary is for the purposes of scientific research pursuant to EU law or the law of an EU member state (Member State) under GDPR Article 9(2)(j) and Article 89.

Lawfulness of Processing: Special Data Protection Regime for Research

Like the EU Privacy Directive previously, the GDPR establishes a special data protection regime (i.e., a privileged position) for the processing of personal data for scientific research purposes through the following important special provisions:

• Non-Consent Legal Basis. The GDPR includes a legal basis in Article 9(2)(j) for the processing of health data and other special categories of personal data for scientific research purposes without Privacy Consent, provided that appropriate safeguards for the rights and freedoms of the data subject are in place. While the GDPR does not exhaustively specify what those safeguards are, Article 89 indicates the purpose of the safeguards is to “ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation.” These measures may include pseudonymisation provided it enables meeting the intended research purposes.“Pseudonymisation” means “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” For example, individual-level de-identified data with key codes that allow re-identification of the individuals who are the subjects of the De-Identified Data is generally considered pseudonymised Personal Data under the GDPR.

• EU and Member State Research Laws. Article 9(2)(j) and 89 allow the processing of sensitive categories of personal data to be based on EU or Member State Law rather than a legal basis specified in the GDPR. The EDPS recognises that the flexibility afforded to Member States (absent harmonised EU law such as for clinical trials under the Clinical Trial Directive) means that the full extent of the “special regime is not precisely delineated.” The adoption of Member State level legal bases has also led to a lack of a pan-European approach for research.

• Derogations from Data Subject Rights. The GDPR also permits Member States to adopt derogations to the GDPR data subject’s rights to access, rectification, restriction of processing, and to object, if the derogations are necessary to further research purposes.

The Opinion does not analyse the application of individual Member State laws. Such an absence of analysis is curious, as national laws add an important additional layer of complexity, as there is no single standard that applies across the EU. Conversely, the Opinion incorrectly states that these Member State laws do not exist. Further, in the UK, local law considerations will, of course, also be subject to Brexit considerations, particularly as the UK will shortly undergo a process of assessment of its adequacy for data transfers between the UK and the EU.

Requirements for Conducting Research without Consent under GDPR Article 9(2)(j)

GDPR Article 9(2)(j) provides a non-consent legal basis for the processing of sensitive personal data for research purposes if the research:

• Is necessary for archiving purposes in public interest, scientific or historical research or statistical purposes. GDPR Recital 159 interprets scientific research purposes broadly to include, for example, technological development and demonstration, fundamental research, applied research and privately funded research as research that can potentially be permitted under Article 9(2)(j).;
• As required by GDPR Article 89(1), is subject to appropriate safeguards to protect the privacy rights of individuals, including technical and organisational security measures and the use of pseudonymisation or other data minimisation techniques. Where a research purpose can be fulfilled by anonymisation, e., further processing that does not permit the identification of data subjects, the purposes must be fulfilled in that manner;
• Is based on EU or Member State law. For example, Schedule 2 of the UK Data Protection Act 2018 includes a legal basis under UK law (discussed below).
• Is proportionate to the aim pursued; and
• Respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

We note, however, while Article 9(2)(j) and Article 89 do not require a data controller to obtain a Privacy Consent, a data controller may still need to obtain Informed Consent for compliance with Member State laws implementing Article 9(2)(j) or otherwise regulating scientific research activities, laws other than the GDPR and research ethical standards as well as a safeguard to comply with Article 89.

Member State law implementations of GDPR Article 9(2)(j) often require Informed Consent for the research use of human tissue samples and an accredited medical ethics committee to review and approve a proposed “medical scientific research” study. However, Member State laws implementing Article 9(2)(j) are inconsistent. The Opinion acknowledged this, stating that this flexibility afforded to Member States means that the full extent of this special regime is not precisely delineated. The Opinion does make it clear, however, that the special regime for research cannot be applied in such a way that undermines the essence of the right to data protection, including data subject rights, appropriate organisational and technical measures against accidental or unlawful destruction, loss or alteration, and the supervision of an independent authority. Consequently, the EDPS may interpret the use of the special regime restrictively, citing the retention of personal data for indefinite periods and attempts to deny data subjects rights to information as two such examples.

We note that the Opinion does not consider Informed Consent exemptions contained in domestic health regulations such as the UK’s statutory regime for seeking exemption from the need to obtain Informed Consent for tissue samples in Section 251 of the National Health Service Act 2006 and its current Regulations. Given that the main concern with the Opinion is with the research ethics of personal data processing, this is a surprising omission.

Requirements for Consent as Legal Basis

The GDPR prescribes a high standard of Privacy Consent. In order for a Privacy Consent to be valid under the GDPR, it must meet the following requirements:

• Be freely given: This means genuine choice and control for data subjects, meaning that in a research context, the use of enticements, inducements or rewards to elicit Privacy Consent may call into question the extent to which Privacy Consent is coerced rather than freely given for each research purpose.

• Specific, informed and unambiguous: The GDPR requires that Privacy Consent should be clearly given in relation to one or more specific purposes.

• Explicit (for sensitive personal data): The GDPR also requires that Privacy Consent be “explicit” for a Privacy Consent to process sensitive categories of personal data. Explicit Privacy Consent is essentially the highest level of unambiguous consent such as the ticking of an unchecked check box and clicking an “I consent” button.

The GDPR and the Opinion recognise that, in practice, it can be difficult for researchers to specifically describe and inform research subjects about all research purposes where the research studies and their aims have not been fully identified before the point of collection. GDPR Recital 33 recognises this and confirms that “[i]t is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.”

There is also a risk that a project may be approved by a research ethics committee before the parties involved in the research have been able to properly assess if all of the contemplated current and future data uses are fully captured. It may inhibit the timescale for delivery of projects, where counter parties and in-house researchers do not fully understand or have access to tailored resources and guidance to facilitate their projects in the near and long term in a compliant, commercially viable and time efficient way.

The Opinion states, however, that Recital 33 does not take precedence over the GDPR requirements for valid Privacy Consent, and advises that the controller should carefully evaluate and balance the rights of the data subject, the sensitivity of the data, the nature and purpose of the research and the relevant ethical standards. The EDPS further cautions that this balancing of the interests of the research aims and privacy is particularly challenging where the distinction between scientific research to further common good and other research to further private, commercial ends has become blurred.

When a data controller cannot fully specify research purposes, the Opinion states the controller should employ greater transparency about research purposes and other safeguards such as compliance with relevant research ethical standards that involve ethics committee oversight and employing Informed Consent to participate in research or the collection of human tissue samples.

The Opinion also suggests that researchers consider using innovative forms of consent for research. Such methods include tiered and dynamic consent that involve ‘just in time notices’ and simplified notices designed to explain and act as signposts for more complex materials that the average person may have difficulty understanding. However, such methods can be onerous to implement and not readily available to investigators or research organisations that do not have the resources or other means with which to implement such processes.

Privacy Consent versus Informed Consent

It is important to note that Informed Consent obtained for human subject protection purposes differs conceptually, legally, ethically and operationally from Privacy Consent as a lawful basis to process personal data under GDPR and other data protection legislation. An Informed Consent generally provides information about a study’s purpose, what participation in the study entails, and any risks or benefits resulting from participation in the research study. In particular, the EDPS makes clear that to view Informed Consent and Privacy Consent as a single and indivisible requirement would be “simplistic and misleading.”

In practice, there are particular consent form drafting challenges when the form requests Informed Consent, but not Privacy Consent for GDPR purposes because the research involves a non-consent legal basis for the processing of personal data. In those cases, many research participants are unlikely to understand the nuanced distinction between consenting to research participation, but being told that they are not being asked for a Privacy Consent, particularly when the Informed Consent describes confidentiality as a risk and privacy protections as a safeguard. To that end, if a researcher intends to obtain Informed Consent and not Privacy Consent, the researcher should either separate the notice delivered to research participants for compliance with the GDPR’s transparency requirements from the Informed Consent form or, alternatively, clearly describe the non-consent legal basis within a single form that complies with the GDPR’s transparency requirements and obtains Informed Consent. For example, if a single form is utilised, it may be helpful to graphically separate the transparency language from the Informed Consent language.

Transparency Requirements

The Opinion considers that GDPR requirements for fairness and transparency are echoed by the principle of informed consent in research ethics. The EDPS confirms that participants should understand that they are taking part in research and what the research requires of them without having been coerced or deceived.

The Opinion restates the requirements for transparency under the GDPR, namely that all individuals must be provided with the information prescribed under GDPR Article 13 (e.g., purposes of processing, who is collecting the data, the purposes of the processing, the legal bases and any recipients of that data). In the context of a research study, the transparency obligations are typically met through the consent form. Thus, the consent form may serve three purposes: (1) Informed Consent, (2) Privacy Consent and (3) transparency notice.

Derogations to Data Subject Rights

GDPR Article 89 outlines the specific conditions under which EU or Member State law may derogate from (i.e., create exceptions to) the data subject’s right of access, right to rectification, right to restriction and right to object. Derogations can be applied only in so far as the rights to be derogated from are “likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.”

The Opinion states that GDPR intends to impose a “high bar” for such derogations. However, the Opinion effectively lowers the bar by also recognising that in specific circumstances, a large number of individuals objecting to all or part of a scientific research may have a negative effect on the representativeness and reliability of the research data and thus on the integrity of research.

Purpose Limitation and Presumption of Compatibility

Under the GDPR principle of purpose limitation, personal data must always be collected for specified, explicit and legitimate purposes and further processing of the same data is not permitted for purposes incompatible with the original purpose for processing. GDPR Article 6(4) establishes criteria for determining the compatibility of further or secondary use of personal data such as the degree of linkage between the purposes and the context in which the personal data was collected. If the controller shares or further processes the data for purposes incompatible with the original purposes then a new valid legal basis may be needed.

As part of the special regime for research, the GDPR includes the following presumption of compatibility: “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.” This presumption depends on the requirement in GDPR Article 89(1) to ensure appropriate technical and organisational safeguards. This is not a general authorisation, but in principle, personal data collected in a healthcare context, for example, may be further used for scientific research purposes by the original or new controller if appropriate safeguards are in place. This permissive provision is useful for re-purposing personal data for research purposes, but the Opinion cautions that the compatibility test under GDPR Article 6(4) should still be considered prior to the reuse of data for the purposes of scientific research, particularly where the data was originally collected for very different purposes or outside the area of scientific research. Potential risk mitigation such as pseudonymisation techniques, deploying effective data governance strategies and ongoing data protection impact assessments will no doubt increase in importance.

Considerations for the Commercial Use of Data

Finally, the Opinion reflects the EDPS’s concern regarding the secondary use of data for commercial purposes. The Opinion suggests that if the data controller that initially collects the data relies on research as its legal basis for processing, then commercial entities that subsequently receive the data cannot presume that the research ground will cover their subsequent processing, especially if the commercial entity is processing for purely commercial gain. More broadly, the EDPS is also concerned with practices and arrangements that it perceives as resulting in restricted access to data that should be made available to researchers to serve the public interest, where such practices or arrangements are motivated by a “business incentive.”

Undoubtedly, this aspect of the Opinion will lead to extensive policy discussion and consultation about the respective roles of researchers, technology companies and other commercial entities, and commercial funding or other involvement in research by academic institutions. From a practical perspective, it is imperative that parties understand what is required in information notices and commercial agreements to ensure that any data rights or use cases that are important to the parties are adequately covered, so that a fair balance can be struck, whilst preserving data and intellectual property rights. To the extent that arrangements involve exclusive rights to data or other commercial dimensions, parties involved should align on appropriate messaging and consider whether the use of the data would satisfy the three-pronged definition of “scientific research” as set forth in the Opinion and discussed above.

Recommendations

Organisations conducting research involving European residents’ personal data should consider the following practical steps as a result of the Opinion:

• If you would like to submit comments to the EDPS regarding the Opinion, you may contact any of the authors or your regular McDermott attorney for assistance. McDermott’s London Cyber Team is registered for lobbying and can assist with queries regarding policy responses to the Opinion. There is no official closing date for comments, but the EDPS encourages timely response due to the complexity of the issues that the Opinion raises. We would, therefore, recommend providing responses and comments on the Opinion by the end of February, prior to the next meeting of the European Data Protection Supervisory Board.

• Commercial entities and their business partners should carefully evaluate the Opinion’s definition of “scientific research” and its applicability to any contemplated project or initiative, particularly in light of remarks by the EDPS highlighting the importance of the research serving societal interests.

• The notion of compatibility and the principle of lawfulness requires careful analysis, particularly where the data was originally collected for different purposes or outside the area of scientific research, re-use and/or commercialisation. Organisations can expect to be increasingly judged by reference to accountability, internal governance and application of consistent recognised ethical standards.

• Research organisations should consider revising template informed consent forms to ensure that the Informed Consent for participation in a research study is organisationally or graphically separate from the Privacy Consent for processing under data protection legislation. Companies should consider whether it is practical to obtain tiered consents under which research participants are invited to select from a menu of options with respect to future research and also examine the possibility of using innovative forms of consent in research activities, like tiered and dynamic consent.

• Research organisations should consider employing data protection impact assessments as tools for conducting the balancing tests contemplated by the GDPR’s special regime for research.