On February 2, 2021, the European Data Protection Board (EDPB) issued guidance on the processing of personal data for research purposes in response to questions posed by the European Commission (Document). The Document aims to provide clarity on the application of the General Data Protection Regulation (GDPR) to scientific health research. In particular, the Document provides high-level guidance on pertinent issues such as consent for scientific research purposes, appropriate legal bases, and data repurposing.
Background
Since the GDPR became effective, it has triggered quite a few questions as to how the scientific and health research community should comply. One of the reasons is that the GDPR allows member states to specify a number of rules relevant to health research, such as, potential derogations to i) the data subject rights regime[1] and ii) the rules concerning processing of sensitive data.[2] Member states may need to ensure “appropriate safeguards” when using the derogations, which leaves the door open to varying national requirements. In addition, the complexity increases when considering how the GDPR intersects with other regulatory frameworks, such as the Clinical Trials Regulation (Regulation (EU) No 536/2014).[3]
On July 8, 2020, the European Commission submitted 21 questions to the EDPB to obtain clarification and a consistent application of the GDPR’s requirements on the matter. The EDPB responded to these questions through the Document, while emphasizing that it is currently developing more detailed guidelines on the same subject matter which are due later this year. As such, the EDPB’s responses should be considered a first attempt to tackle misunderstandings on the application of the GDPR to health research.
Key Takeaways
Below we set out the key takeaways of the Document.
- Informed consent v. GDPR consent. The Document confirms that informed consent to participate in a scientific research project is separate from consent under the GDPR to process personal data. Obtaining the individual’s informed consent to participate in a health research project is a general requirement in light of applicable ethical standards, as reflected in the Oviedo Convention and Helsinki Declaration.[4] The EDPB reminds data processing entities that consent needs to be “freely given” and that consent “is not an appropriate legal basis in research activities where there is a clear imbalance of power between the data subject and the controller.” A concrete imbalance may be present if the participating data subject is in poor health and there is no therapeutic treatment outside the clinical trial.[5] Despite the EDPB’s position, it is (and has been) a longstanding common practice for research organizations to rely on individuals’ consent to process personal data for health research purposes. The EDPB seems to recognize such practice, but requires (health) research players to conduct careful assessments to ascertain that individuals have real choice. Furthermore, national law should also be considered, since it may permit the processing of health-related data without consent.[6]
- Legal basis for research projects in multiple member states. The EDPB recommends using—where possible—the same legal basis for an entire cross-country health research project. However, in practice this may be a challenge due to varying member state laws that may differ from the general GDPR provisions regarding sensitive data processing. For instance, as already mentioned, member state law may provide for a legal basis other than consent to process sensitive data for health research purposes, which may add conditions or safeguards that vary between member states. In practice, it will be important to understand the specific national requirements and work towards a “common denominator” of protective measures.
- Further processing. The GDPR provides that further processing for scientific or research purposes is considered compatible with the initial purposes for which the data was collected.[7] However, research organizations re-using personal data will need to ensure that “appropriate safeguards” are in place, such as data minimization, use of pseudonymized data or strong encryption.[8] The EDPB clarifies that this “presumption of compatible use” does not automatically apply with respect to sensitive data processing. In such cases, a specific exemption for the processing of sensitive data must be available to justify further re-use.
- Broad consent. The Document recognizes that the GDPR allows flexibility regarding the specificity of consent in the context of scientific research. If all the purposes cannot be specified at the time of data collection, the EDPB states that the GDPR allows “data subjects to consent for a research purpose in more general terms and for specific stages of a research project that are already known to take place at the outset.” This so-called “broad consent” should be accompanied by adequate safeguards to enhance the transparency of the processing during the research project and to ensure that the consent will be specified as much and as soon as reasonably possible. Also, the data subjects should be able to tailor or withdraw their consent anytime during the research project.
- Transparency. The Document explains that the GDPR offers an exception to the general obligation to provide data subjects with a privacy notice when the data has not been collected from the data subject, but from another source. This exception can be relied upon in the context of scientific research when providing a privacy notice is impossible, would involve a disproportionate effort, or is likely to render impossible or seriously impair the achievement of the scientific research purposes.
- Anonymization and other safeguards. The Document reiterates that health researchers should clearly distinguish between pseudonymization and anonymization when they process data. Pseudonymized data is considered personal data under the GDPR, whereas anonymized data is not—meaning that the GDPR no longer applies after personal data has been anonymized. Pseudonymization is considered an additional safeguard to protect the personal data and to satisfy privacy-by-design and privacy-by-default requirements. Anonymization may be particularly challenging to achieve in practice due to ongoing technological advancements and progress in the field of re-identification.
- Data Protection Impact Assessments. A Data Protection Impact Assessment (DPIA) is required when scientific research is likely to result in a high risk to the rights and freedoms of data subjects. The EDPB stresses the importance of considering the non-exhaustive requirements of the GDPR for carrying out a DPIA along with the guidelines on DPIA[9] endorsed by the EDPB, and the Supervisory Authority (SA) guidance regarding processing operations that require a DPIA (blacklists) or do not (whitelists). The SA listings may cause variations to the requirement of conducting a DPIA in different member states.
Conclusion
The Document provides an overview of some of the most challenging issues when conducting health research under the GDPR. The EDPB explains that most of the questions of the European Commission call for more in-depth analysis and/or development of additional examples and best practices. As such, it is expected that the EDPB will further elaborate on the topic of scientific research in its upcoming guidelines, due later this year.
Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Jan Dhont, Nikolaos Theodorakis, Sam Meijer, or another member of the firm’s privacy and cybersecurity practice.
[1] Article 89 GDPR.
[2] Article 9(2)(j) jo. Article 9(4) GDPR.
[3] In this context, the European Commission provided some guidance in its document named “Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Directive (GDPR).” The EDPB provided its view on the same questions in its Opinion 3/2019. Please see our contribution on the matter here: https://www.wsgrdataadvisor.com/2019/02/edpb-opinion-on-ctr-and-gdpr/#more-2232.
[4] European Convention on Human Rights and Biomedicine of 1997 (Oviedo Convention) and World Medical Association Declaration of Helsinki of 1964 (Helsinki Declaration).
[5] Paragraph 8 of the Document.
[6] Article 9(2)(j) GDPR provides for the possibility of creating a legal basis in member state law for processing health data as necessary for scientific research purposes. Such member state law should be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
[7] Article 5(1)(b) GDPR.
[8] Article 89(1) GDPR.
[9] The guidelines on DPIA’s were adopted in 2017 by the EDPB’s predecessor (the Article 29 Working Party) and have been endorsed by the EDPB.