Research and the General Data Protection Regulation
This post is the first in a new series for LAGO where project partners talk about key ideas and recent study results from the project.
Author: Dr Laura Drechsler, Research Fellow, Centre for IT & IP Law, KU Leuven
Data is and always has been the lifeblood of research activities. Data thereby takes various forms, from textual to visual to audio recordings, and can include information ranging from the flight patterns of birds to the DNA profiles of suspects in a criminal investigation.
Within the EU, personal data, defined as ‘any information relating to an identified or identifiable natural person’, is protected with a special set of rules—EU data protection law—when they are processed (see, for example, Article 4(1) of the General Data Protection Regulation (GDPR)). Processing is thereby broadly defined and encompasses all activities within the lifecycle of personal data in a research project (see Article 4(2) GDPR). Research activities involving personal data are thereby mainly regulated by the GDPR, a broad omnibus law that lays down obligations for those processing personal data (called ‘controllers’ in the GDPR), grants rights to individuals for when their personal data are processed, and establishes special supervisory authorities (called ‘data protection authorities’) to ensure supervision of and compliance with the GDPR.
Research institutions using personal data for their research qualify as controllers and are thereby required to abide by the obligations set by the GDPR. These obligations are grounded on ten data protection core principles, namely (1) lawfulness, (2) transparency, (3) fairness, (4) purpose specification, (5) purpose limitation, (6) data minimization, (7) accuracy, (8) storage limitation, (9) integrity and confidentiality, and (10) accountability, which have to be respected for any activity involving personal data in the scope of the GDPR (Article 5 GDPR). The objective behind these principles and the GDPR in general is found in the idea that the processing of personal data impacts the protection of a variety of fundamental rights, especially the fundamental right to personal data protection embedded in the Charter of Fundamental Rights of the EU (Article 1 GDPR).
While research institutions as controllers are therefore required to ensure compliance with the GDPR should their activities concern personal data, the regulation does foresee some ‘research privileges’ to make such compliance easier. Research is thereby understood broadly by the GDPR, ‘including for example technological developments and demonstration, fundamental research, applied research, and privately funded research’ (recital 159 GDPR). The research privileges allow, for example, under certain conditions, the re-use of personal data originally collected for a different purpose for research purposes (see Article 5(1)(b) GDPR) or the storage of personal data for a longer period than is normally possible (Article 5(1)(e) GDPR). Some research privileges depend on their effect on further national or EU legislation, for example the ones relating to exceptions for data subject rights (Article 89(2) and (3) GDPR).
All research privileges can only be relied upon if the research project sets up ‘appropriate safeguards’ to ensure the protection of individuals fundamental rights (Article 89(1) GDPR). The GDPR describes such safeguards as ‘technical and organisational measures’, but leaves it further open what such safeguards could be, though it names ‘pseudonymization’ and ‘anonymization’ of personal data as examples (Article 89(1) GDPR).
Applying the principle-based approach of the GDPR to research activities can be challenging at times. Principles such as ‘transparency’, which requires appropriate information to be provided to individuals to ensure they understand what will happen with their personal data, appear difficult for a research project, which might not quite know at the start what exactly will happen. The fact that research privileges rely on appropriate safeguards, which are further undefined and sometimes require further legislation, can make it difficult to determine when and how they apply in the context of a specific research project. As a study by Kindt et al. demonstrates, there are also vastly different interpretations and implementations of the privileges in the different Member States, further complicating the data protection framework for research projects.
Nevertheless, because of its principle-based approach that allows for flexibility, the GDPR offers also opportunities for designing research processes and research spaces that ensure the utmost respect for the fundamental rights and freedoms of individuals while enabling research to take place efficiently. Respect for fundamental rights will in turn translate into higher individual trust in scientific research and its outputs.
Dr Laura Drechsler is a research fellow at the Centre for IT & IP Law of the KU Leuven, focusing on the protection of fundamental rights when data are used (Twitter, LinkedIn). The research was funded by the European Union. Grant Agreement No. 101073951 (LAGO project). The views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Research Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.