In response to a set of questions from the European Commission, the European Data Protection Board (“EDPB”) has published some high level guidance on the application of the GDPR to health research (“Guidance”). This article summarises the key takeaway points from that guidance.
For obvious reasons, the past year has done much to highlight the importance of scientific research into health. Against the backdrop of the ongoing pandemic, the EU Commission has exercised its right under Article 70 of the GDPR to request written advice from the EDPB on a number of issues relating to the application of the GDPR to health research. Whilst many of the answers provided by the EDPB are relatively brief and high-level in nature, there are some interesting points to highlight.
The Guidance is the latest in a series of publications by the EDPB in this area. In 2019, we got Opinion 03/2019 on the interplay between the Clinical Trials Regulation and the GDPR, whilst last year, in the early days of the pandemic, the EDPB published Guidelines 03/2020 on scientific research in the context of Covid-19. The new Guidance builds on both of those previous papers, and also refers back to historic EDPB and Article 29 Working Party (the predecessor to the EDPB) guidance on issues such as consent. Importantly, the EDPB also confirms that the Guidance will be followed up, later this year, by a more detailed set of guidelines on scientific research which will elaborate on many of the points made in brief in the Guidance. It is notable that the questions chosen by the EU Commission are some of those which most regularly provoke debate amongst lawyers and other practitioners in this field, and therefore the detailed Guidelines will be much anticipated.
The Guidance is wide-ranging (covering 21 questions raised by the Commission), but the following is an overview of some of the most interesting points addressed by the EDPB.
Legal Basis for Processing in Research
The question of the appropriate legal basis (under both Articles 6 and 9 GDPR) to rely on in the context of scientific research is one that frequently vexes data controllers.
The Guidance repeats a message that was also made in the 2019 Opinion – that a requirement for ‘ethical’ consent should not be confused with a requirement for consent as a legal basis under the GDPR. Whilst consent may sometimes be an appropriate legal basis, it may more often be the case that legitimate interests (Art. 6(1)(f)) or compliance with a legal obligation (e.g. clinical trial safety reporting, Art. 6(1)(c)), in conjunction with necessity for scientific research purposes (Art. 9(2)(j)) is the more appropriate path.
However, in a blow for controllers who are frustrated by the divergent approaches taken to legal basis across Member States, the Guidance foresees that it may be necessary to rely on different legal bases where a single research project takes place in several Member States. In particular, the scientific research purposes basis (Art. 9(2)(j)) allows Member States to introduce additional safeguards in local law, meaning that a piece of research may meet those requirements in some Member States but not others.
In our view one point needs emphasising here – divergent approaches should only necessary because of permitted derogations in Member State law, not differences in custom or local interpretation.
Elsewhere, the Guidance confirms that Recital 33 of the GDPR offers some room for flexibility in describing research purposes for which consent is obtained from the data subject (a frequent difficulty for controllers is aligning the requirement for ‘informed’ consent with research purposes that may, at the outset of a project, be hazily defined). However, it cautions that there must still be an ‘obvious link’ between what is described at the point of consent and the eventual research, and the reasonable expectations of the data subject must be taken into account.
Re-purposing for Research
The Guidance spends some time examining issues associated with re-purposing data for scientific research (sometimes referred to as ‘secondary use’).
Frequently, research organisations will look to rely on the presumption of compatibility under Article 5(1)(b) GDPR, which presumes that where personal data is re-used for scientific research, that further use is ‘compatible with’ the original use (and can therefore be lawful). However, the Guidance cautions controllers that this requires the research to adopt the safeguards under Article 89(1) GDPR (most notably, pseudonymisation) as well as any safeguards prescribed by Member State law.
Tantalisingly, an answer to the Commission’s question on the re-use of health data from social media platforms, activity trackers or publicly available databases is deferred until the more detailed Guidelines later this year.
In connection with the issues of secondary research, the Commission asks whether there is any exemption available from transparency (i.e. privacy notice) requirements for controllers who collect data from data subjects, and then want to further process it for research purposes. Unfortunately, the EDPB confirms the clear statutory position that there is no exemption from the Article 13 requirement for transparency for such a controller. In these cases, the EDPB recommends (i) taking into account the possibility for future research when first collecting data; and (ii) implementing ‘more dynamic ways’ of information data subjects about future research.
In more welcome news, when it comes to transparency regarding the retention of data, the EDPB confirms that personal data can be stored for longer than necessary for the original purpose for which it was collected, if it is being retained for scientific research purposes (and subject to the Article 89(1) and Member State law safeguards).
Anonymisation / Pseudonymisation
A fundamental ethical and legal consideration for research is the identifiability value of the data used for that research. First, the EDPB repeats the key points that anonymisation must always be distinguished from pseudonymisation. The key message of this section is that the scientific research framework created by the GDPR is, to some extent, built around pseudonymisation. Therefore, controllers should not assume that anonymisation (which, the EDPB reminds us, can be very difficult both to implement, but also to maintain over time as available technology changes) is a necessary enabler of research. Rather, research organisations might be better off accepting that data is pseudonymised, and taking the appropriate steps to comply with the regime for processing such data under the GDPR.
A frequent area of technical debate for those in this field is the question of whether it is possible to anonymise genetic data, given that (with the right technology) it is in generally accepted that genetic data can always be linked to an individual. The EDPB accepts that this remains an unresolved issue, and therefore (‘in the interests of protecting the rights and freedoms of individual data subjects’) it strongly advises controllers to always treat genetic data as personal data.
James Clark, DLA Piper
If you have any questions about the Guidance, please contact your usual DLA Piper contact or the author of this article.
 For example, the requirement for informed consent under the Helsinki Declaration in the context of medical research
 Recital 33 provides that: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. 3Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”
 Unlike the position for controllers who receive personal data from another controller, who may be able to benefit from the ‘disproportionate effort’ exemption under Article 14(5)(b), particularly in the context of scientific research.