The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

EDPS Issues Opinion on Data Protection and Scientific Research

by Chris Brook on Thursday January 9, 2020

Contact Us
Free Demo
Chat

The European Data Protection Supervisor has issued a preliminary opinion on how data protection obligations should factor into scientific research in the EU.

The European Data Protection Supervisor (EDPS) this week issued a preliminary opinion on how data protection should inform scientific research, reiterating its stance that that the General Data Protection Regulation (GDPR) shouldn't be a hurdle to carrying out research.

The news is especially important for any organizations in the EU that may work in health sciences or outfits that carry out research collaborations.

There were a number of outstanding questions in the wake of the enactment of the GDPR in the EU as it relates to scientific research, namely the issue of obtaining consent as a legal basis for personal data processing vs. informed consent to take place in research, whether private companies are monopolizing data collection to shield themselves from accountability for online manipulation, and so on.

The EDPS - the independent EU authority in charge of ensuring EU institutions comply with data protection law - dug into these issues and more on Monday when it published an opinion, "A Preliminary Opinion On Data Protection and Scientific Research," on the topic.

According to the EDPS, there's no proof that the GDPR hampers scientific research; it should do the opposite:

"Data protection obligations should not be misappropriated as a means for powerful players to escape transparency and accountability,” the authority wrote in its opinion. “Researchers operating within ethical governance frameworks should therefore be able to access necessary API and other data, with a valid legal basis and subject to the principle of proportionality and appropriate safeguards.”

The guidance also helps downplay the idea that the GDPR is an impediment for researchers. While yes, data processing involves a degree of risk, the EDPS says, some of this can be attributed to what it calls ‘corporate secrecy,’ or companies failing to give clearly defined guidance around controlling data in the first place.

"It would appear... that the reluctance to give access to genuine researchers is motivated no so much by data protection concerns as by the absence of business incentive to invest effort in disclosing or being transparent about the volume and nature of data they control," the authority wrote.

Portions of the opinion emphasize the “societal good” that scientific research, fueled by the collection of personal data, drives.

"The GDPR serves in part to ensure accountability for such practices," while continuing to advance knowledge, the EDPS said, "while ensuring people are not treated as mere data sets."

While the EDPS’ opinion is preliminary, it should serve as a reminder to the European Data Protection Board - the body in charge of the application of GDPR - that it should devise some more concrete guidance around some of the principles of data processing for scientific research, like consent, compatibility, and data subject rights sooner than later.

“We recommend intensifying dialogue between data protection authorities and ethical review boards for a common understanding of which activities qualify as genuine research, EU codes of   conduct for scientific research, closer alignment between EU research framework programmes and data protection standards, and the beginning of a debate on the circumstances in  which access by researchers to data held by private companies can be based on public interest.”

Tags: GDPR

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.