Opening Insights
The General Data Protection Regulation (GDPR) comes into effect in May 2018. It replaces the Data Protection Directive 95/46/EC and imposes new obligations on organizations that process the personal data of European Union residents. The Regulation aims to bolster privacy rights and boost digital innovation within the EU. GDPR provides privacy and security, while carving out exemptions for scientific, historical and health research.
Research occupies a privileged position within the Regulation. Organizations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data (Article 6(4); Recital 50). As long as they implement appropriate safeguards, these organizations also may override a data subject’s right to object to processing and to seek the erasure of personal data (Article 89).
Additionally, the GDPR may permit organizations to process personal data for research purposes without the data subject’s consent (Article 6(1)(f); Recitals 47, 157). In isolated cases, these organizations may be able to transfer personal data to third countries for research purposes, without any other transfer mechanism in place (Article 49(h); Recital 113).
The GDPR adopts a “broad” definition of research, encompassing the activities of public and private entities alike (Recital 159). In the age of big data, where the data analytics activities of many organizations may qualify as research (see Omer Tene and Jules Polonetsky’s, “Beyond IRBs: Ethical Guidelines for Data Research”), it is unclear exactly how far the GDPR’s research exemption will extend. One thing is clear, however: The GDPR aims to encourage innovation, as long as organizations implement the appropriate safeguards.1
What does this mean for non-profit and for-profit organizations that collect data for informational and research purposes... YOU MAY BE SURPRISED!
Informational Insights
The GDPR creates heightened obligations for entities that process personal data, it also creates new exemptions for research as part of its mandate to facilitate a Digital Single Market across the EU. Specifically, the GDPR exempts research from the principles of storage limitation and purpose limitation so as to allow researchers to further process personal data beyond the purposes for which they were first collected. Research may furnish a legitimate basis for processing without a data subject’s consent. The Regulation also allows researchers to process sensitive data and, in limited circumstances, to transfer personal data to third countries that do not provide an adequate level of protection. To benefit from these exemptions, researchers must implement appropriate safeguards, in keeping with recognized ethical standards, that lower the risks of research for the rights of individuals.
[...]
Private for-profit companies can claim the research exemptions under the regulation. However, research is a very narrow grounding for international data transfers -- it applies only to small-scale non-repetitive transfers. In the context of clinical trials, it may be easier to obtain the data subject's explicit consent to the transfer at the time when you ask the patient for informed consent.
Research as a basis for processing
Organizations that process personal data (“controllers”) must have a lawful basis for any processing activity. Article 6(1) delineates the lawful bases for processing, which include the data subject’s consent and processing that is necessary for the legitimate interests of the controller. Where a controller collects personal data under a lawful basis, such as consent, Article 6(4) allows it to process the data for a secondary research purpose. Research, however, is not explicitly designated as its own lawful basis for processing, but, in some cases, it may qualify under Article 6(1)(f) as a legitimate interest of the controller. Thus, while the GDPR explicitly permits re-purposing collected data for research, it also may permit a controller to collect personal data initially for research purposes, without requiring the data subject’s consent.
The GDPR... [creates an] exemption to the principle of purpose limitation for research. Article 5(1)(b) states, “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.” Article 89 sets out the safeguards that controllers must implement in order to further process personal data for research.
Research as a legitimate basis for processing
The GDPR clearly intends to relax restrictions on further processing personal data for research purposes. What about where research is the primary purpose? The Regulation suggests that, at least in some circumstances, research itself may furnish a legitimate basis for processing personal data, even in the absence of the data subject’s consent.
Controllers may process personal data, without consent, when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject” (Article 6(1)(f)).
The concept of “legitimate interests” is further explained in Recital 47, which provides that controllers should take into account “the reasonable expectations of data subjects based on their relationship with the controller.” Determining the existence of a legitimate interest requires a “careful assessment” of whether there is “a relevant and appropriate relationship” and “whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place” (Recital 47). This is a highly fact- and context-specific analysis.
The GDPR... may permit processing for research purposes as a legitimate interest. Although research is not specifically mentioned as a legitimate interest, Recital 157 identifies the benefits associated with personal data research, including the potential for new knowledge about “widespread medical conditions” and the “long-term correlation of a number of social conditions.” The results of research can “provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people, and improve the efficiency of social services.” Moreover, Recital 47 explicitly provides that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Note, however, that the legitimate interest basis sets out a balancing test, where even if a controller has a legitimate interest in research, it may be “overridden” by the data subject’s rights. Additionally, this basis applies only to private entities. A public entity may process personal data without consent under Article 6(e) – “the performance of a task carried out in the public interest” – which requires a legislative mandate from the Member State or the EU for the processing operation.
Conditions for exemption
Controllers that process personal data for research purposes must implement “appropriate safeguards” (Article 89(1)). These controllers must put in place “technical and organizational measures” to ensure that they process only the personal data necessary for the research purposes, in accordance with the principle of data minimization outlined in Article 5(c). When processing personal data for research purposes, Recital 33 states that controllers should act “in keeping with recognized ethical standards for scientific research.” It is worth noting that in the context of data research, as opposed to more traditional human subject research, those very ethical standards are still being debated.
Article 89(1) provides that one way for a controller to comply with the mandate for technical and organizational measures is through deployment of “pseudonymization.” Pseudonymization is “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual” (Article 4(3b)). Pseudonymization is not always required but rather its use is encouraged “as long as [the research purposes] can be fulfilled in this manner” (Article 89(1)).
Unlike anonymous data, pseudonymous data remains subject to the remit of the Regulation. Many of the techniques traditionally used to protect privacy in research settings, such as key-coding, fall within the definition of pseudonymization and therefore remain subject to the Regulation. Anonymous data, by contrast, falls outside the scope of the Regulation. Although this creates an incentive for controllers to anonymize data, determining whether data is anonymous is a fact-specific inquiry. Unlike the U.S. Health Insurance Portability and Accountability Act (HIPAA), which sets forth a rule exempting data from regulation if 18 specific identifiers are removed, the GDPR applies a standard, considering data anonymous only when it cannot be identified by any means “reasonably likely to be used ... either by the controller or by another person” (Recital 26). Thus, even if a researcher no longer has the ability to re-identify a data set, such data set may still be regulated under the GDPR if it could be re-identified with reasonable effort.
Notice requirements
Although controllers are not required to obtain the data subject’s consent for all processing for research purposes, they remain bound by the GDPR’s notice requirements. Article 12(1) requires controllers to “take appropriate measures” to inform data subjects of the nature of the processing activities and the rights available to them. Controllers are required to provide this information in all circumstances, regardless of whether consent is the basis for processing, “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).
[...]
Providing up front notice about research at the point of collection poses a challenge for researchers because of the difficulty in identifying research purposes in advance, especially in the context of big data. Unlike traditional research, where a researcher identifies a hypothesis and tests it against a data set, data mining techniques often search for correlations within data sets without the baseline of a specific test hypothesis (see Tal Z. Zarsky’s “Desperately Seeking Solutions: Using Implementation-Based Solutions for the Troubles of Information Privacy in the Age of Data Mining and the Internet Society”). Thus, a researcher may not know the scope of her research until after the data is collected and used. The GDPR accounts for this challenge in Recital 33, providing that data subjects should be able to “consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.” This demonstrates that the Regulation permits more relaxed specificity in the notice provided for research processing.
Additionally, a researcher may be exempt from the notice requirement if she received the personal data from someone other than the data subject, such as where the data came from a publicly available source.
[...]
Exemptions from data subject rights
The GDPR creates a host of data subject rights that controllers are bound to uphold when they process personal data. Consistent with exemptions from the purpose limitation and storage limitation principles for research processing, the Regulation carves out exceptions to data subject rights for processing related to research. Exemptions from the right to erasure and the right to object stem directly from the text of the Regulation. Additionally, member states may craft exemptions to a number of other rights by appropriate legislation.
Exemptions directly provided in the GDPR
Article 17 supplies each data subject with the right to have her personal data erased when she withdraws consent or objects to the processing, as well as when the data are no longer needed for the purpose for which they were first collected. In many cases, complying with this right threatens the integrity of a researcher’s dataset. To address this concern, the Regulation exempts research from the right to erasure insofar as it is “likely to render impossible or seriously impair the achievement of the [research] objectives” (Article 17(3)(d)). Thus, at least in some cases, researchers may further process personal data for research purposes in spite of a data subject’s request for erasure.
Under Article 21, data subjects retain a right to object to processing, even for research purposes. However, a researcher may override a data subject’s objection if “the processing is necessary for the performance of a task carried out for reasons of public interest” (Article 21(6)). For a task to be justified by public interest, Recital 45 specifies that it “should have a basis in Union or Member State law.”
Exemptions requiring member state legislative action
Article 89(2) allows member states or the EU to limit data subject rights to access, rectification, restriction, and the right to object where processing is for research purposes subject to the appropriate safeguards. However, this is not a blanket authority to derogate from these rights. The derogations must be “necessary for the fulfillment of [the research] purposes” and they are only permissible if allowing data subjects to exercise their rights likely would “render impossible or seriously impair the achievement of the specific purposes.”
[...]
Transferring personal data to third countries for research purposes
The GDPR prohibits the transfer of personal data to countries outside of the EU unless they offer an “adequate level of protection” as determined by the European Commission (Article 45(1)). A controller also may transfer personal data to a third country if it has implemented specific safeguards, including Binding Corporate Rules and standard contractual clauses, or if the data subject has provided explicit consent after being informed of the risks related to the transfer (Article 46(2); Article 49(1)(a)).
[...]
Profiling
The GDPR [allows for]... further processing for research that impacts individuals. However, the GDPR also creates additional safeguards to protect individuals from this type of processing. Article 35(2)(a) requires controllers to conduct a privacy impact assessment (PIA) any time “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”
...[W]hile on the one hand the GDPR removes the restriction on research that produces impacts for individuals, on the other hand it introduces stringent safeguards for such processing. Controllers that conduct this type of research may have to conduct a PIA and they nonetheless may be prohibited from research that impacts individuals on the basis of their sensitive personal data.
Research concerning sensitive personal data
The GDPR forbids a controller from processing “special categories of data” – sensitive data revealing racial or ethnic origin, religious or political beliefs, as well as genetic, biometric, and health data – except in certain enumerated circumstances, such as where the data subject provides “explicit consent” or where the data that was “manifestly made public by the data subject” (Article 9(2)(a); Article 9(2)(e)).
In addition to allowing researchers to process sensitive data where the data subject explicitly consents or makes her data public, the GDPR also permits a controller to process sensitive data for research purposes. Article 9(2)(j) allows a researcher to process sensitive data where “processing is necessary for [research] purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.” Thus, as clarified in Recital 52, research serves as a basis for processing sensitive data only “when provided by Union or Member State law and subject to suitable safeguards.”
[...]
Defining research
The research exemptions apply to processing personal data for scientific and historical research, statistical research, and archiving in the public interest. The recitals treat each type of research separately.
Scientific research is defined “in a broad manner” (Recital 159). The recital supplies examples, such as “technological development and demonstration, fundamental research, applied research, and privately funded research,” as well as public health research. The recital cites Article 179(1) of the Treaty on the Functioning of the European Union, which promotes “the objective of strengthening its scientific and technological bases by achieving a European research area in which researchers, scientific knowledge and technology circulate freely.” This suggests that although private research for technological development qualifies as research, there may be a requirement that the research be published or otherwise made available outside the private entity. An important interpretative question concerns the application of the research provisions to corporate contexts such as research for product improvement or marketing purposes, as opposed to “big-r” research in academic institutions, which is geared at publication and contribution to generalizable knowledge.
Additionally, “specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes” (Recital 159). Although not expressly stated, these “specific conditions” may refer to “recognized ethical standards for scientific research,” which are discussed in Recital 33, as well as the safeguards outlined in Article 89.
Historical research includes genealogical research, but the GDPR generally does not apply to deceased persons (Recital 160). The exception for archiving in the public interest applies to public and private entities that “hold records of public interest,” provided they are under a legal obligation “to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest” (Recital 158). The Regulation also includes a reference to “specific information related to the political behaviour under former totalitarian state regimes,” likely to facilitate research surrounding the Holocaust.
Statistical research is “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results” (Recital 162). Generally, statistical research “implies that the result of processing for statistical purposes is not personal data, but aggregate data.” While statistical research may be used in support of scientific research, it usually is “not used in support of measures or decisions regarding any particular natural person.” The Recital specifies that the EU or the member states should legislate around the scope of the statistical research exemptions, including defining the appropriate safeguards for assuring “statistical confidentiality.”
Public health research
Public health research is treated as a subset of scientific research under the GDPR (see Recital 159), and, therefore, the same exemptions and requirements apply. However, the GDPR also contains several provisions applicable exclusively to public health research.
[...]
Recital 54 defines public health according to Regulation (EC) No. 1338/2008 as “all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.” Given this broad definition, the activities of social media and other online platforms may qualify as public health research.1
Sources:
1 https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research
Possibilities for Consideration: Transparency OR Legal Loopholes
You never change things by fighting the existing reality.
To change something, build a new model that makes the existing model obsolete.
R. BUCKMINSTER FULLER
With the irreparable distrust of organizational data integrity, transparency and accountability is the GDPR really going to make all that much difference? Is adding rules to an already corrupt system really going to change things? The problem is not the technology or data being share, the problem is the intent of the storager, researcher and organization collecting, storing and using them. The decentralized networks that social media have created will not be reversed. Companies like Facebook, Google and alike are not suddenly going to start putting customers first or start caring about their true impact on humanity. Like sharks they will keep swimming forward with their own agenda, they will navigate legal look holes like research and continue to manipulate our world. However, GDPR offers an opportunity to transform and reform the customer-organization relationship - creating a true relationship of trust.
- What if organizations could "be the change the market wants to see, and the world NEEDS."
- What if organizations could develop trust-based relationships?
- What if organizations could create a readiness for GDPR (change) (for all)?
- What if organizations could support effective data privacy, transparency and security?
- What if organizations could develop mature & informed consumers (critical thinkers)?
- What if organizations could overcome millennial attitudes, problems & safe space mentality?
- What if organizations could ensure sustainable research projects, grants and sponsorship?
- What if organizations could empower collaborative research participation and contribution?
- What if organizations could engage all stakeholders with skills of perception, critical thinking, creativity and communication to assess and discern GDPR and make informed decisions?
Add Your Insight: Collaborate to Change
The only people who can change the world are people who want to. And not everybody does.
HUGH MACLEOD