The European Data Protection Supervisor (EDPS) this week issued a preliminary opinion on how data protection should inform scientific research, reiterating its stance that that the General Data Protection Regulation (GDPR) shouldn't be a hurdle to carrying out research.
The news is especially important for any organizations in the EU that may work in health sciences or outfits that carry out research collaborations.
There were a number of outstanding questions in the wake of the enactment of the GDPR in the EU as it relates to scientific research, namely the issue of obtaining consent as a legal basis for personal data processing vs. informed consent to take place in research, whether private companies are monopolizing data collection to shield themselves from accountability for online manipulation, and so on.
The EDPS - the independent EU authority in charge of ensuring EU institutions comply with data protection law - dug into these issues and more on Monday when it published an opinion, "A Preliminary Opinion On Data Protection and Scientific Research," on the topic.
According to the EDPS, there's no proof that the GDPR hampers scientific research; it should do the opposite:
"Data protection obligations should not be misappropriated as a means for powerful players to escape transparency and accountability,” the authority wrote in its opinion. “Researchers operating within ethical governance frameworks should therefore be able to access necessary API and other data, with a valid legal basis and subject to the principle of proportionality and appropriate safeguards.”
The guidance also helps downplay the idea that the GDPR is an impediment for researchers. While yes, data processing involves a degree of risk, the EDPS says, some of this can be attributed to what it calls ‘corporate secrecy,’ or companies failing to give clearly defined guidance around controlling data in the first place.
"It would appear... that the reluctance to give access to genuine researchers is motivated no so much by data protection concerns as by the absence of business incentive to invest effort in disclosing or being transparent about the volume and nature of data they control," the authority wrote.
Portions of the opinion emphasize the “societal good” that scientific research, fueled by the collection of personal data, drives.
"The GDPR serves in part to ensure accountability for such practices," while continuing to advance knowledge, the EDPS said, "while ensuring people are not treated as mere data sets."
While the EDPS’ opinion is preliminary, it should serve as a reminder to the European Data Protection Board - the body in charge of the application of GDPR - that it should devise some more concrete guidance around some of the principles of data processing for scientific research, like consent, compatibility, and data subject rights sooner than later.
“We recommend intensifying dialogue between data protection authorities and ethical review boards for a common understanding of which activities qualify as genuine research, EU codes of conduct for scientific research, closer alignment between EU research framework programmes and data protection standards, and the beginning of a debate on the circumstances in which access by researchers to data held by private companies can be based on public interest.”
