The issue of data protection in research is becoming of pivotal importance, in particular in the last months with the pandemic emergency of COVID-19.1 Studying the development of the outbreak on affected populations under a scientific and statistic perspective is necessary to understand the trend of contagion, the effectiveness of social distancing measures, the most vulnerable people who are the target of the virus, etc. This has posed several questions in terms of privacy and data protection.2 Medical researchers and even data scientists might use health data of patients for secondary purposes, different from the original purpose of the mere provision of healthcare services. In addition, researchers might analyse telcom data, such as location data,3 of patients (or just of citizens of mostly affected area) to understand their movements and the spread of the virus.4 Also, beyond research, these data have high potentials for further purposes (state surveillance on infected people, the enforcement of social distancing rules, etc.), and related high risks for fundamental rights and freedoms of data subjects (discrimination, stigmatization, unnecessary state surveillance and related chilling effect, profiling for manipulative purposes, etc.).5
Accordingly, the application of privacy and data protection rules to research has reached higher attention in media, institutions and in the academic arena, although the topic seemed to be not adequately discussed in literature so far, unless few but relevant exceptions in the last months.6 This is why the need to further analyse this topic is even more pressing today. This special issue of Computer Law and Security Review has this goal: investigating on rules, potentialities and open issues of data processing for research purposes.
The entry into force of the GDPR has given much more relevance to the issue of data protection in the field of research. The notion of research is now explicitly mentioned as an exception to the prohibition of processing of special categories of personal data (Article 9(j)), but also as an exception to the purpose limitation principle (Article 5(1)(b), to the storage limitation principle (Article 5(1)(e) and as a possible derogation from some rights (right to access, rectification, restriction and objection). These exceptions, however, are counterbalanced by specific safeguards to be adopted in case of research purposes (Article 89). As also the preamble reveals, the GDPR recognises and encourages the development of scientific research7 (and this is why it provides specific exemptions to the general limits of data protection principles and rights), but with alternative suitable measures that need to be respected. Such measures may include specific transparency safeguards, simplified exercise of data protection rights, security measures and an attentive analysis of the impact of research on data subjects. In other words, one of the most relevant principles that researchers should take into account is accountability (see Ben Wagner in this special issue). Notions like data protection by design and DPIA becomes thus central. In general terms, we can affirm that there is a sui generis protection for the processing of personal data for research purposes.8
However, many issues are still unsolved, e.g.: how can we delimit the notion of “research” avoiding abuses of such terms as a legal ground for data processing? How to adequately protect research subjects, in particular the vulnerable data subjects? Should we consider consent as an adequate legal basis for processing data for research purposes or, to the contrary, it is highly unlikely that research subjects (including the vulnerable ones) might give a really “free” and unbiased consent? How could we enhance transparency in practice? What is the role of the accountability principle (including DPIA) when dealing with data processing in research and how such principle should interact with the principle of “ethics in research”? This special issue of CLSR will try to engage in discussions on these fundamental research questions.
The definition of research is vague and broad in the GDPR, since – as recital 159 explains – it should include also “technological development and demonstration, fundamental research, applied research” and even “privately funded research”. This might pose several interpretational issues, including e.g., defining the borderline between marketing studies and private researches; or between academic expression and scientific research;9 between medical treatment and health research, which is a timely problem in the age of coronavirus pandemic.
Interestingly, the EDPS has tried to delimit more the notion of research, to the cases with the aim of growing society's collective knowledge and wellbeing, as opposed to serving primarily one or several private interests.10 But this notion seems still relative and open to discussions and interpretations (see Rossana Ducato in this special issue).
Another issue is what the exact relationship between law and ethics in research is (in particular in case of Coronavirus-related researches)11 : recital 33 argues that the provision of consent should be allowed also in case of undefined purposes, but only when “recognised ethical standards for scientific research” are respected. Interestingly, this is the only reference to ethics in the GDPR,12 despite the broad discussion about data ethics in the European literature13 (see Charles Raab in this special issue).
Consent and purpose limitations are indeed two key issues that are largely addressed in this special issue, in particular in some critical areas of research, like genomic research (see Dara Hallinan in this special issue). The EDPB has already been very critical to the large use of consent in data processing for research purposes, in particular in case of medical trials.14 Research subjects are often in a situation of power asymmetry (patients, employees, asylum seekers, etc.) that generates decisional vulnerability.15 Such vulnerability does not allow them to give a really free consent according to Article 7 GDPR. This is in line with large part of legal literature in the field of data protection that recommends limiting the use of “consent” as a legal basis due to its fallacy and the difficulty to reach a really informed and free consent.16 However, the EDPS seems to generally accept the use of consent in the research field, although at some specific conditions.17 The problem of using alternative legal bases are at least two.
First, while private universities or research entities can use “legitimate interests” (Article 6(f)), public universities or research centres would be forced to use “public interests” (Article 6(e))18 : this might create unreasonable disparities between different entities that should however respect similar rules and ethical standards (e.g., private entities would be required to do the balancing test, while the public ones would not; in case the data subjects object to the data processing according to Article 21, public entities could profit from the exemption at Article 21(6),19 while private entities cannot).
Second, in case of processing of special categories of personal data, the only legal basis alternative to consent might be the necessity for scientific research purpose (Article 9(2)(j)), but that legal basis is conditional to the approval of a “Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific” safeguards. As the EDPS argued, many Member States have not yet approved these laws.20 Accordingly, researchers might not use that exemption and would be required to ask for explicit consent (Article 9(2)(a)), even though it might be inappropriate in case of power imbalance between researchers and subjects.
Actually, in the age of COVID-19 pandemic, most Member States have already approved emergency pieces of legislation that include also the processing of special categories of data for research purposes.21 However, as also the EDPB has clarified, these legislations should be strictly limited to the duration of the emergency at hand and prove necessity and proportionality of the derogatory provisions.22 The issue of necessity and proportionality is a key issue also in the implementation of the DPIA (Article 35(3)(b)).23
Another relevant problem in data processing for research purposes, especially in the age of pandemic, is purpose limitation. As affirmed above, the risks (e.g. for personal data of people tested positive to COVID-19) of secondary purposes with significantly adverse effects on individuals (and on democracy in general)24 might be relevant. The principle of purpose limitation in research might be limited, but relevant safeguards (Article 89) should be implemented: e.g., pseudonymization, transparency and personalized safeguards for vulnerable individuals (see Denise Amram in this special issue). Each of these points, however, might be problematic.
As regards pseudonymised data in research, some commentators have posed interpretational issues in case the data are acquired without the identifiers from a research entity which has pseudonymised the data: can these de-identified data be considered anonymous for whom acquires them?25
Regarding transparency duties, more discussion is needed for particular personalised information and legibility requirements in case of research (see Arianna Rossi and Gabriele Lenzini in this special issue): there might be “secondary” data subjects (e.g. relatives of the genomic research subject) that are not informed26 or there might covert researches where disclosing information might be detrimental to the success of the research (but the GDPR cannot help, since there are no exemptions for data collected directly from the subjects, Article13),27 or there might be particularly cognitive vulnerable subjects that would not understand standard information.
The issue of vulnerable data subjects seems particularly unexplored in the data protection framework (see Gianclaudio Malgieri and Jedrzej Niklas in this special issue): the perspective of data protection in research (and the related literature on research ethics28 ) might be an opportunity to finally address this issue, which also WP29 touched upon (without clear explanation) in several parts.29
This special issue is not aimed at offering clear answers, but clear problematizations of open issues. The aim is to open a vivid discussion with scholars, policymakers, institutions and stakeholders in order to balance two fundamental values of our society, which are also strongly related: cultural and scientific growth and fundamental rights and freedoms (including privacy and data protection). The first without the second has little value.
Declaration of Competing Interest
No conflict of interest.
Footnotes
The deputy editor is extremely grateful to the authors and the secret reviewers for their invaluable efforts. This special issue is open access and funded by the EU Commission, H2020 SWAFS Programme, PANELFIT Project, research grant number 788039.
European Data Protection Board, Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, Adopted on 21 April 2020, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf
Kelly Kelly Servick, ‘Cellphone Tracking Could Help Stem the Spread of Coronavirus. Is Privacy the Price?’ Science AAAS (22 March 2020) <https://www.sciencemag.org/news/2020/03/cellphone-tracking-could-help-stem-spread-coronavirus-privacy-price> accessed 1 April 2020; Janosch Delcker, ‘POLITICO AI: Decoded: Artificial Intelligence in the Age of a Pandemic—Germany's Data Donation Experiment — A White Knight from Beijing?’ (POLITICO, 25 March 2020) <https://www.politico.eu/newsletter/ai-decoded/politico-pro-ai-decoded-artificial-intelligence-in-the-age-of-a-pandemic-germanys-data-donation-experiment-a-white-knight-from-beijing-2/> accessed 1 April 2020.
Actually, new efforts of researchers are focussing on data minimization techniques that would avoid the use of location data to track possible contagion. See, e.g., Janosch Delcker, Stephen Brown, ‘Europe Shares Code for New Coronavirus Warning App’ (POLITICO, 1 April 2020) <https://www.politico.eu/article/europe-cracks-code-for-coronavirus-warning-app/> accessed 1 April 2020.
European Data Protection Board, ‘Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak. Adopted on 19 March 2020’ (2020) 2 <https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf>.
Yuval Noah Harari, ‘The World after Coronavirus’ Financial Times (20 March 2020) <https://www.ft.com/content/19d90308-6858-11ea-a3c9-1fe6fedcca75> accessed 29 March 2020.
European Parliament and Directorate-General for Parliamentary Research Services, How the General Data Protection Regulation Changes the Rules for Scientific Research. (2019) <http://publications.europa.eu/publication/manifestation_identifier/PUB_QA0419501ENN> accessed 30 March 2020; European Data Protection Supervisor, ‘A Preliminary Opinion on Data Protection and Scientific Research’ (2020) <https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf>.
See, e.g., the tone of recital 159.
European Data Protection Supervisor (n 5) 21 referring to the ‘special regime’ for scientific research in the data protection framework.
ibid 9–10.
ibid 13.
See the role of ethical checks in this ICT research project adopted by the NHS in the UK: Hannah Devlin Science, ‘NHS Developing App to Trace Close Contacts of Coronavirus Carriers’ The Guardian (31 March 2020) <https://www.theguardian.com/uk-news/2020/mar/31/nhs-developing-app-to-trace-close-contacts-of-coronavirus-carriers> accessed 1 April 2020.
The only other indirect reference is: “breach of ethics for regulated professions” at Article 23(1)(g).
See, e.g., Gry Hasselbalch and Pernille Tranberg, Data Ethics: The New Competitive Advantage (PubliShare 2016); High-Level Expert Group on Artificial Intelligence of the European Commission, ‘Ethics Guidelines for Trustworthy AI’ (2019) <https://ec.europa.eu/futurium/en/ai-alliance-consultation/guidelines#Top>.
European Data Protection Board, ‘Opinion 3/2019 Concerning the Questions and Answers on the Interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR)’ (2019) Text <https://edpb.europa.eu/our-work-tools/our-documents/opinion-art-70/opinion-32019-concerning-questions-and-answers-interplay_en>.
Éloïse Gennet, Roberto Andorno and Bernice Elger, ‘Does the New EU Regulation on Clinical Trials Adequately Protect Vulnerable Research Participants?’ (2015) 119 Health Policy (Amsterdam, Netherlands) 925.
Gabriella Fortuna-Zanfir, ‘Forgetting about Consent. Why the Focus Should Be on “Suitable Safeguards” in Data Protection Law’ in Serge Gutwirth, Ronald Leenes, Paul De Hert (ed), Reloading Data Protection (Springer 2014); Bart W Schermer, Bart Custers and Simone van der Hof, ‘The Crisis of Consent: How Stronger Legal Protection May Lead to Weaker Consent in Data Protection’ (2014) 16 Ethics and Information Technology 171; S. van der Hof, ‘I Agree... Or Do I? A Rights-Based Analysis of the Law on Children's Consent in the Digital World’ (2017) 34 Wisconsin International Law Journal 409; Julie E Cohen, ‘Turning Privacy Inside Out’ (2019) 20 Theoretical Inquiries in Law <http://www7.tau.ac.il/ojs/index.php/til/article/view/1607> accessed 23 January 2019.
European Data Protection Supervisor (n 5) 20.
Article 6(1) at its last sentence clarifies that public entities cannot use the legal basis of “legitimate interest” at Article 6(1)(f).
Article 21(6): “Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest”.
European Data Protection Supervisor (n 5) 23.
See, as the first case in the EU, the Italian Decreto Legge n.14/2020, Article 14.
European Data Protection Board (n 3) 2.
See, e.g., Dariusz Kloza and others, ‘Towards a Method for Data Protection Impact Assessment: Making Sense of GDPR Requirements’ 6.
See, Giovanni Comandé, Denise Amram, Gianclaudio Malgieri, 'The democracy of emergency at the time of the coronavirus: the virtues of privacy', Opinio Juris in Comparatione, forthcoming 2020, http://www.opiniojurisincomparatione.org/opinio/article/view/144/152
Miranda Mourby and others, ‘Are “Pseudonymised” Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK’ (2018) 34 Computer Law & Security Review 222.
Mark Taylor, Genetic Data and the Law: A Critical Perspective on Privacy Protection (Cambridge University Press 2012) 105; See also, on the topic of the use of data of deceased subjects to profile living relatives Gianclaudio Malgieri, ‘R.I.P.: Rest in Privacy or Rest in (Quasi-)Property? Personal Data Protection of Deceased Data Subjects between Theoretical Scenarios and National Solutions’, Ronald Leenes, Rosamunde van Brackel, Serge Gutwirth & Paul De Hert (eds.), Data Protection and Privacy: The Internet of Bodies, (Brussels, Hart, 2018) (2018th edn, Hart Publishing 2018) <https://papers.ssrn.com/abstract=3185249> accessed 17 December 2018.
European Data Protection Supervisor (n 5) 21.
See, e.g., Robert E Goodin, Protecting the Vulnerable: A Reanalysis of Our Social Responsibilities (University of Chicago Press 1985); Doris Schroeder and Eugenijus Gefenas, ‘Vulnerability: Too Vague and Too Broad?’ (2009) 18 Cambridge quarterly of healthcare ethics: CQ: the international journal of healthcare ethics committees 113; Florencia Luna, ‘Elucidating the Concept of Vulnerability: Layers Not Labels’ (2009) 2 International Journal of Feminist Approaches to Bioethics 121.
See, e.g., Article 29Working Party, Guidelines on DPIA, WP248, adopted on 4 April 2017, 9. See also Article 29 Working Party, Opinion 03/2013 on purpose limitation, WP 203, 32; Article 29 Working Party, Guidelines on Transparency under Regulation 2016/679" clarifying requirements of the EU GDPR, WP 260, 9; Article 29 Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, WP 251 rev.01, 22.