The Datenschutzkonference (DSK) the body that gathers the German Data Protection Authorities has published a document on the relationship between the Recital 33 of the GDPR and its application to scientific research. And as often happens when this topics is involved, the results are useless, inconsistent and inapplicable. A more detailed analysis will allow us to understand the reason for such a harsh judgment on this document.
Firstly, the DSK states that:
Insbesondere wird es nicht als mit dem Erwa?gungsgrund 33 vereinbar erachtet, wenn die Verwendung der erhobenen Daten pauschal auf bestimmte Forschungsbereiche ausgeweitet wird.
In other words, the DSK do not consider the Recital 33 to be compatible with a broader use of data collected for a certain type of research. But, in contrast, this is exactly how scientific research works. By definition it is unpredictable and whose results are strongly influenced by serendipity, therefore imposing a limitation such as that required by the DSK means generating unnecessary burdens. Moreover, medical research is a field of public interest and is related to the right to health therefore – as such – prevails over the right to protection of personal data (BTW, this only means that in the balancing of interests, the interpretation of the GDPR should be in favor of research).
Secondly, it is true that the DSK gives way to a use of the extended consent (breiten Einwilligungen), but on conditions that do not appear making too much sense.
Among the additional guarantees in favour of the interested party, the DSK asks to:
- make the content of the research project available to the Data Subject. But the Data Subject, in order to understand the research project’s content, should have a scientific knowledge at least equal to that of researchers,
- specify why, in a certain field of research, it is not possible to indicate the additional purposes. But giving a negative proof is impossible, especially when there is no idea which roads could be discovered by proceeding with the original project,
- create a point of presence on the internet to inform participants about the evolution of current and future research. The right to the protection of personal data does not extend to the point of allowing an intrusion of the Data Subject in the research activity nor can it configure any access rights relating to the evolution of the project. The participant receives the information, gives his consent (if applicable) and the exercise of his rights is limited to the above. This is true, in particular, in merely observational research where data is collected without even interacting with the patient,
- acquire the opinion of the ethics committee before extending the scope of the research. But the opinion of the ethics committee is mandatory under the Oviedo Convention (which does not concern the processing of personal data), only in certain types of research, and in any case not in accordance with the GDPR. If a research is not subject to the opinion of the ethics committee, it means that it does not present risks in terms of processing personal data. If, on the other hand, the opinion of the committee is necessary, then the profiles relating to the GDPR and the protection of people’s fundamental rights and freedoms are already absorbed by the opinion itself,
- evaluate the possibility of dynamically managing the consent in order to allow the possible revocation in case of new research. Apart from the economic, bureaucratic and organizational cost of such compliance, it would be practically impossible to follow such a path in studies involving the use of huge amounts of data,
- refrain from communicating data to countries that do not offer adequate guarantees of legal protection. This indication – moreover explicit in the GDPR and therefore not “additional” – is clearly inapplicable. Do we really want to argue that data cannot be exchanged with the US? And if the EU has just recently agreed with Japan the clause of adequacy of the Japanese law on the processing of personal data, does it mean that everything that has been done up to that point is illegal?
- adopt encryption and pseudonymisation measures. In GDPR, encryption is like black in fashion: a jack for all trade. And, in this specific case, it is not necessarily a feasible measure, as in the case of rare diseases where the identity of the patients is, clearly, impossible to hide. In any case, that of the DSK is such a general statement that it has virtually no useful purpose,
- adopt specific measures to limit access to the data collected. Also in this case we are faced with a paraphrase of the GDPR, without there being an effective “added value” in the indications of the DSK.
In summary, therefore, we are faced with a document that is of little practical use because it confuses (as often happens) the formalities connected with the Oviedo Convention with those relating to the GDPR, limits itself to paraphrasing obligations already provided for by the Data Protection Regulation and proposes measures that do not take into account the specificity of the research – and the genetic ones in particular – based on the use of large amounts of (not necessarily all) personal data .