The European Data Protection Supervisor has published an opinion on data protection and scientific research.
The opinion states that scientific research depends on the exchange of ideas, knowledge and information. Where it involves the processing of personal information, it is subject to applicable law including the GDPR and Regulation 1725/2018 for EU institutions. The rules provide for some flexibility for genuine research projects that operate within an ethical framework and aim to grow society’s collective knowledge and well-being. How this special regime should operate in practice is under discussion. Some argue that the GDPR offers too much flexibility, others that the rules threaten vital research activity.
Digitisation has made generating and disseminating personal data easier and cheaper and been transformational regarding how research is carried out. The boundary between private sector research and traditional academic research is blurred, and it is increasingly difficult to distinguish research with benefits for society from research which primarily serves private interests. Corporate secrecy is a major barrier to social science research.
In the health science sector, medical research and clinical trials generally take place within an established framework of professional ethical standards. The interaction between this framework and the GDPR is being discussed within the European Data Protection Board.
The special regime applies the usual principles such as lawfulness, purpose limitation and data subject rights, but permits some derogations from controller obligations. This includes the presumption of compatibility of processing for scientific research purposes of data collected in commercial and other contexts, provided appropriate safeguards are in place. This flexibility assumes that research occurring within a framework of ethical oversight serves, in principle, the public interest. The accountability principle is therefore key, as it requires controllers to assess honestly and manage responsibly the risks inherent in their research projects. Such risks can be very high where, for example, organisations are processing sensitive data on health or political or religious views. Consent as a legal basis for processing must be freely-given, specific, informed and unambiguous. This differs conceptually and operationally from ‘informed consent’ of human participants in research. Such ‘informed consent’ may still serve as a safeguard in cases where consent is not appropriate as a data processing legal basis.
Scientific research serves a valuable function in a democratic society to hold powerful players to account, and this has grown in importance with as control over information flows has become concentrated in the hands of a few private global companies. Data protection obligations should not be misappropriated as a method of powerful players escaping transparency and accountability. The EDPS says that researchers operating within ethical governance frameworks should be able to access necessary API and other data, with a valid legal basis and subject to the principle of proportionality and appropriate safeguards.
The EDPS recommends intensifying dialogue between data protection authorities and ethical review boards for a common understanding of which activities qualify as genuine research. It also recommends EU codes of conduct for scientific research, closer alignment between EU research framework programmes and data protection standards, and a debate on the circumstances in which access by researchers to data held by private companies can be based on public interest.