What happened?

On 2 February 2021, the European Data Protection Board (the "EDPB") adopted its response to the European Commission's request for clarification on the consistent application of the GDPR1 in the field of health research (the "EDPB Response")2.

On several occasions, questions posed to the EDPB have remained partly unanswered or open. The EDPB underlines that it will soon clarify these points in its forthcoming Guidelines on the processing of personal data for scientific research purposes (to be released during 2021).

Main questions tackled by the EDPB

  • Legal basis for processing of health-related data for scientific research purposes

A recurrent question of the European Commission (the "EC") concerned the appropriate legal bases to rely on for processing personal data for scientific research, especially with regard to (i) the cumulative requirements of relying on an appropriate legal basis (at least one of those listed under Article 6 of the GDPR), which may be other than consent, and on an appropriate exemption under Article 9 of the GDPR, (ii) the (in)validity of consent in the context of clinical trials (i.e. the possible imbalance of power between the data subject and the controller)3, and (iii) the conduct of a single research project by one controller in several Member States, which may need to rely on different legal bases depending on the Member States law.

In particular, the EDPB states that the scientific ethical standards (i.e. requiring the informed consent4 of the individuals to participate in a scientific research project) must be distinguished from the consent as a legal basis for processing personal data under Article 6(1)(a) of the GDPR and explicit consent as an exemption for processing special categories of personal data under Article 9(2)(a) of the GDPR. The ethical requirements apply in addition to the GDPR.

  • Further processing of previously collected health data

The EDPB Response also focuses on the further processing for scientific research of previously collected health data by relying on the presumption of compatible use with the original purpose. This question is particularly important as recent experience shows that, for example, samples collected in a particular context (i.e. research in relation to a specific disease) may be of the utmost interest in another context (i.e. research related to other diseases). But for this to be of scientific interest, it is sometimes very useful to be able to contact the person from whom the sample was collected, to be able to examine contextual elements that were not initially collected. Therefore, working with samples of named individuals may become useful over time.5 For further processing of previously collected health data in different research projects:

  • the data must be processed with adequate safeguards as required under Article 89(1) of the GDPR implemented in Luxembourg by Articles 64 and 65 of the Law of 1 August 20186 (e.g. appointing a data protection officer, carrying out an impact assessment, using anonymisation or pseudonymisation, using privacy enhancing technologies, logging access, adopting a code of conduct, etc.);
  • if the exemption relied on under Article 9 of the GDPR for the original purpose of the processing does not apply to the processing for scientific research purposes, the researcher must rely on a different exemption.
     
  • The concept of broad consent

Another clarification concerns the so-called notion of "broad consent" used by the EC. As the concept of "broad consent" does not exist as such in the GDPR, the EDPB assumes that the EC refers to Recital 33, hence considering there is a need to clarify the meaning and scope of that Recital.

Recital 33 suggests that in some cases where the purpose of personal data processing for scientific research  cannot be specified in a precise manner at the time of the collection of data, it should be possible to gather valid consent from data subjects "in more general terms and for specific stages of a research project that are already known to take place at the outset."7 While recognising that Recital 33 allows some flexibility, the EDPB clarifies that this kind of consent has to be accompanied by adequate safeguards to enhance transparency of processing during the research project and that consent has to be specified as much and as soon as reasonably possible.

Finally, the EDPB underlines that Recital 33 should not be understood as an exception or the possibility to work around the principle to articulate in a clear manner the purpose of the processing. The purpose should always be detailed as much as possible, particularly in the initial phase of the research project.

The EDPB nevertheless says that a proper response to this question will require more analysis and discussions. The EDPB will therefore circle back in this respect in its forthcoming guidelines on the processing of personal data for scientific research purposes, expected during 2021.

  • Transparency of data processing: information to be provided to the data subject

The transparency obligations under the GDPR require the controller to inform the data subjects about the processing of their personal data. However, the controller who has not obtained the data from the data subjects can be exempted from the information obligation as per Article 14(5)(b) of the GDPR, where it proves impossible or requires disproportionate efforts to inform data subjects of the further processing of their personal data for research purposes. This exemption does not apply where the controller collected the data directly from the data subject. Therefore, such controllers should take appropriate measures at the time of the data collection to ensure they can meet the further information requirements in the event of a further processing for research purposes.

  • Anonymization, pseudonymisation and other appropriate safeguards

The EDPB pointes out that the possibility to anonymise genetic data with technical and organisational measures remains an unresolved issue. In general, the EDPB expresses its skepticism towards the possibility of anonymising genetic data. Therefore, to remain on the safe side, the EDPB advises that genetic data should be considered as if it was personal data and processed with the necessary appropriate technical and organisational measures to comply with the GDPR.

The EDPB recognises a lack of available information as to what appropriate safeguards should be considered in the context of processing for scientific research purposes. Further clarification on that matter would have to be provided.

What's next?

Although the EDPB's Response constitute a first clarification on questions arising with respect to personal data processed in the context of national and transnational scientific research projects, controllers and researchers must remain faithful to the upcoming EDPB Guidelines on the processing of personal data for scientific research purposes, expected to clarify remaining uncertainties.

Footnotes

  1. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data.
  2. EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research
  3. By reference to the EDPB Opinion 3/2019
  4. In addition, Article 28.1(b) and (c) of Regulation (EU) No 536/2014 of 16 April 2014 on clinical trials on medicinal products for human use   provides that "a clinical trial may be conducted only where (...) the subjects, or where a subject is not able to give informed consent, his or her legally designated representative, have been informed in accordance with Article 29(2) to (6) [and] given informed consent in accordance with Article 29(1), (7) and (8)." The timing of the application of this Regulation in all Member States depends on when the so-called EU clinical trials information system will be fully functional (planned to go live in 2022).
  5. See below about the EDPB scepticism on the possibility to anonymise genetic data.
  6. Law of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework.
  7. Point 26 of the EDPB Response.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.