What does the agreed version of the GDPR say about processing personal data for research purposes? Is the GDPD better than the Directive?
So here we are. It’s almost Christmas and after three years of intense debate the Council of the European Union and the European Parliament have announced that they have informally agreed on what could become very soon the General Data Protection Regulation (the GDPR).
Unsurprisingly it is a 204-page document with more than 91 articles and 135 recitals. The purpose of this post is not to cover all the relatively novelties about to be brought by the GDPR in comparison with the current framework (based on the Data Protection Directive of 1995) but to focus on one aspect of the proposed piece of legislation: the processing of personal data for research purposes.
The 17-December version released by the European Parliament is not exactly the same as the version released by the Council of the EU in preparation for trilogue discussions (dated 27 November 2015) and for several reasons is less pro-researchers.
Let’s start with the Data Protection Directive (DPD). You might remember that:
- “[T]he further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual” says Recital 29. “Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards” repeats Article 6(b). In other words, it is possible to process data (aldready collected) for research purposes as long as Member States have added safeguards. The DPD only identifies 1 safeguard: the data cannot be used to “support measures or decisions regarding any particular individual”. [As long as you do research to make predictions or suggestions then it might to be fine…. Assuming it makes sense to imply that making suggestions cannot equate to making decisions or measures!] [See also para. 69 of the ICO Code of practice on Big Data]. As there is a presumption of compatibility between the first purpose and the subsequent purpose (research) it might be logical to think that the legitimate interest of the data controller should suffice to make the further processing for scientific purposes lawful [….unless Article 29 Working Party just got it wrong when it said that a new legal basis is needed even if the further processing is not incompatible with the initial processing… which is not impossible…what do they think of Recital 50 of the GDPR?].
- If the ultimate objective is to “support measures or decisions regarding any particular individual”, the question is whether a new legal basis can compensate the incompatibility of the further processing and make it lawful. Article 15 prohibits automated individual decisions in the following manner: “Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc”. [But as with every principle there are also some exceptions, and it is arguable that para. 2(a) significantly reduces the scope of the prohibition].
- If the ultimate objective is not to “support measures or decisions regarding any particular individual”, but there is no ‘data debris’ (i.e. no prior processing of personal data for a different purpose), the processing of the personal data for research purposes has to be based on a legal basis. The question is then whether the legitimate interest of the data controller can be used as a legitimate basis (Article 7(f)) eliminating the need for collecting the informed consent of data subjects. If the research is in the public interest, there is an argument that this could be the case. The 26-November version had made the processing for research purposes a legal basis of its own! (Article 6(2) at that time, although put into brackets, read as follows: “Processing of personal data which is necessary for archiving purposes in the public interest, or for historical, statistical or scientific purposes shall be lawful subject also to the conditions and safeguards referred to in Article 83”)
- Clearly, just as with other data controllers, researchers too have to comply with Article 17 about security obligations, as long as they do not only work on anonymised data. Anonymised data is indeed outside the scope of the Directive (Recital 26 defines explains it all: “whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable”).
While, as I said, the 27-November version made the processing of personal data for research purposes a legal basis of its own, this is not the case anymore with the 17-December version. But to what extent does the 17-December version differ from the Directive?
- Recital 126 defines what is meant by research [I should make it clear that strictly speaking the Recitals of a piece of legislation are not binding, although they do influence the CJEU’s interpretation of the text]: “For the purposes of this Regulation, processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research, privately funded research and in addition should take into account the Union’s objective under Article 179(1) of the Treaty on the Functioning of the European Union of achieving a European Research Area. Scientific research purposes should also include studies conducted in the public interest in the area of public health”. [It is thus a very broad definition].
- Contrary to what the 27-November version provided for, the 17-December version does not make the processing of personal data for scientific research purposes a lawful processing per se. Article 5(1)(b) says that “further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes shall, in accordance with Article 83(1), not be considered incompatible with the initial purposes”. Article 5(1)(b) is thus slightly more demanding than the Directive version of it, in as much as it refers to its Article 83(1) which requires compliance with the data minimisation principle and suggests the implementation of pseudonymisation practices. [Truly, its Article 5(1)(c) also contains the principle of data minimisation so it is not entirely clear whether Article 83(1) is fully innovative!].
- Article 9 now expressly states that when the processing is necessary for scientific research purposes the prohibition to process sensitive data can be lifted by the EU or the Member States (as long as Article 83(1) is complied with, the essence of the right to data protection is respected, and suitable safeguards are put in place). It is true that Article 9 still mentions (just like Article 8(e) of the Directive) the exception to the prohibition on processing sensitive data when “the processing relates to personal data which are manifestly made public by the data subject”. Does this mean that researchers would necessarily have a legal basis to render the processing of personal data lawful? It would make sense to check whether the data controller has a legitimate interest to undertake the processing anyway. In any case, the foregoing implies that publicly available personal data is still personal data!
- Article 83(1) provides that researchers have to put in place technical and organisational measures to “ensure the respect of the principle of data minimisation”. “These measures may include pseudonymisation, as long as these purposes can be fulfilled in this manner”. This Article should come with a health warning. Pseudonymisation is not the same thing as anonymisation. Article 4 defines pseudonymisation as the “processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person”. Recital 23 adds that: “Data which has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered as information on an identifiable natural person.” In other words, pseudonymous data is still personal data, whereas anonymous data is not personal data anymore. Even more, encrypted data is not anonymous data. This is implied by Articles 6(e), 30 and Recital 66.
- Given the broad definition of scientific research purposes, Recital 23c might make more sense. It reads as follows: “in order to create incentives for applying pseudonymisation when processing personal data, measures of pseudonymisation whilst allowing general analysis should be possible within the same controller when the controller has taken technical and organisational measures necessary to ensure, for the respective processing that the provisions of this Regulation are implemented, and ensuring that additional information for attributing the personal data to a specific data subject is kept separately”. [Does it mean that when personal data is pseudonymised, it can be further process for a wide range of scientific research purposes?].
- Neither of the versions of the GDPR expressly distinguishes between research activities leading to “measures or decisions regarding any particular individual” and research activities stopping before this point. However [and this is an important point], Article 33 requires the carrying out of a prior data protection impact assessment in circumstances when the processing implies “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual”. And, as per Article 4, profiling means: “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. Furthermore, Article 20 still contains a right not be subject to an automated individual decision, including profiling [subject to some notable exceptions and in particular “if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller” as long the data subject has a right to be heard]. Notably, automated individual decisions including profiling cannot be based on sensitive data.
- Finally, as regards the exceptions to the rights of access, information, rectification, restriction and the right to object that are applicable, or that the Member States can carve out, the EU legislator does not expressly state that these exceptions could only apply if the research activities were not aimed at supporting “measures or decisions regarding any particular individual” .
So in the end, which one is better: the Data Protection Directive or the GDPR?
On 18 December the Council confirmed the agreement with the European Parliament.